Flaw in Microsoft Office Web Components could allow remote compromise

by Steve Ragan - Jul 13 2009, 21:35

'Browse and get owned' is how Microsoft describes it. The software giant has issued a strong warning for users of Excel concerning a new vulnerability being exploited online. The attacks target the Spreadsheet ActiveX Control in Microsoft Office Web Components, resulting in remote code execution and, in some cases, it is believed that no user intervention is required for the attack to be a success.

Flaw in Microsoft Office Web Components could allow remote compromise.(Img:Microsoft)

On the eve of patch Tuesday, Microsoft has issued another Security Advisory on an ActiveX flaw that will compromise a system if exploited. There are confirmed instances of the vulnerability being used in attacks online and, according to Microsoft, the exploitation might not even require user intervention. Microsoft has said it is working on a patch, which will “[be] released once it reaches an appropriate level of quality for broad distribution.”Two things to note. The first is that this newest vulnerability has a quick fix, and the second is that it does not affect users of Internet Explorer 8 or Office 2007. The problem is that the bulk of Microsoft customers are using versions of software far from current. It isn’t uncommon to see Office 2003 or Internet Explorer 7, as well as older versions of Microsoft Office deployed across a business network. So this makes this new vulnerability disclosure just as important as the one that will be patched on Tuesday.The vulnerability centers on Microsoft Office Web Components, specifically the Spreadsheet ActiveX control. The Microsoft Office Web Components are a part of a collection of COM controls used to publish spreadsheets, charts, and databases to the Web, and also for viewing the published components online. If a malicious site is viewed, the exploited vulnerability will lead to code execution.“The last couple of weeks have been interesting for anybody following Microsoft Security. Beyond the DirectShow vulnerability zero-day at the end of May, Microsoft has been forced to acknowledge two other zero-days vulnerabilities. Both are related to ActiveX,” said Wolfgang Kandek, Qualys’ CTO, when The Tech Herald asked for his thoughts on today’s announcement. “Browsing websites that have exploit code embedded with Internet Explorer is the main attack vector, which will certainly fuel the discussion around the use of alternative browsers. Microsoft has quickly provided easy to use workarounds for both vulnerabilities via their Fixit program, but it is not clear why they have waited for over a year to provide a fix the underlying coding problems which they were notified of in Spring of 2008,” he added.Related to this newest ActiveX vulnerability is the one reported last week, which is a stack overflow in DirectShow MPEG2TuneRequest -- yet another issue with ActiveX. Microsoft caught flack for admitting that it was well aware of the flaw for quite some time and held off patching it. That ActiveX issue will be addressed in Tuesday’s patch release.According to Microsoft, XP, Office 2003, ISA 2004 and 2006, as well as Small Business Accounting 2006, are affected by the newest vulnerability. In lieu of an official patch, Microsoft has offered a quick fix and several workarounds.The Security Advisory, which contains official workarounds, can be found here.The Quick Fix using the Fixit Tool is here. Want regular updates from The Tech Herald? Follow us on Twitter.Interested in a more interactive TTH? Join our Facebook Group.

Comment on this Story

Interested in a more interactive TTH? Join our Facebook Group
Want regular updates from The Tech Herald? Follow us on Twitter

Comment on this Story

Note our older Talkback system is still running below. We hope to import existing comments into the new system shortly. Guest posting is still allowed, however, you can now login with any number of social network accounts.

Talkback

Add your comment (no registration required)

page: 1

MajJul 16th, 2009 - 20:18:05

I wasn't able to find in the Microsoft Security Advisory where they described the problem as 'Browse and get owned.'

Perhaps you could help me find it?

Report this comment

SteveR-TTHJul 16th, 2009 - 20:34:09

@Maj

'This vulnerability could be used for remote code execution in a 'browse and get owned' scenario. User interaction is required since a user needs to go to a malicious website that hosts the exploit.' - Fermin J. Serna, MSRC Engineering (SRD Blog 7-13-09, Microsoft Office Web Components vulnerability)

Also, an earlier SRD post, 'A browse-and-get-owned attack vector exists. A user needs to be lured to navigate to a malicious website or a compromised legitimate website to be affected. No further user interaction is needed.' - Chengyun Chu, MSRC Engineering (SRD Blog 7-6-09, MPEG2TuneRequest vulnerability)

Best,
Steve

Report this comment

page: 1

Add your comment (no registration required)

Security

Flaw in Microsoft Office Web Components could allow remote compromise

Comment on this Story

Talkback

Latest

Latest Articles on Monsters&Critics

In The Tech Herald

Site

The Fine Print