|
|
|
|
| |
Credit:
The information has been provided by Microsoft Product Security.
The original article can be found at: http://www.microsoft.com/technet/security/bulletin/ms08-055.mspx
|
| |
Affected Software:
* Microsoft Office XP Service Pack 3 (KB953405) - Remote Code Execution - Important - MS08-016
* Microsoft Office 2003 Service Pack 2 (KB953404) - Remote Code Execution - Important - MS08-016
* Microsoft Office 2003 Service Pack 3 (KB953404) - Remote Code Execution - Important - None
* 2007 Microsoft Office System (KB951944) - Remote Code Execution - Important - MS07-025
* 2007 Microsoft Office System Service Pack 1 (KB951944) - Remote Code Execution - Important - None
Microsoft Office OneNote 2007 (KB950130) - Microsoft Office OneNote 2007 Service Pack 1 (KB950130) - Remote Code Execution - Critical - None
Non-Affected Software:
* Microsoft Office 2000 Service Pack 3
* Microsoft Office OneNote 2003 Service Pack 2
* Microsoft Office OneNote 2003 Service Pack 3
* Microsoft Office PowerPoint Viewer 2003
* Microsoft Office Word Viewer 2003
* Microsoft Office Word Viewer 2003 Service Pack 3
* Microsoft Office Excel Viewer 2003
* Microsoft Office Excel Viewer 2003 Service Pack 3
* Microsoft Office Excel Viewer
* Microsoft Office PowerPoint 2007 Viewer
* Microsoft Office PowerPoint Viewer 2007 Service Pack 1
* Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats
* Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1
* Microsoft Office 2004 for Mac
* Microsoft Office 2008 for Mac
* Microsoft Visual Studio 2008
* Microsoft Visual Studio 2008 Service Pack 1
* Microsoft Expression Web
* Microsoft Expression Web 2
Uniform Resource Locator Validation Error Vulnerability - CVE-2008-3007
A remote code execution vulnerability exists in the way that Microsoft Office handles specially crafted URLs using the OneNote protocol handler (onenote://). The vulnerability could allow remote code execution if a user clicks a specially crafted OneNote URL. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
CVE Information:
CVE-2008-3007
Mitigating Factors for Uniform Resource Locator Validation Error Vulnerability - CVE-2008-3007
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
* In a Web-based attack scenario, a Web site could contain a specially crafted link (onenote://) that is used to exploit this vulnerability. An attacker would have to convince users to visit the Web site and open a specially crafted OneNote URL, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site, and then convincing them to click the specially crafted link.
* An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
* The vulnerability cannot be exploited automatically through previewing an e-mail. For an attack to be successful a user must click a specially crafted link that is sent in an e-mail message.
|
|
|
|
|
