|
|
|
|
| |
Credit:
The information has been provided by Haifei Li.
The original article can be found at: http://www.fortiguardcenter.com/advisory/FGA-2009-27.html
|
| |
Vulnerable Systems:
* Microsoft Office XP Service Pack 3
* Microsoft Office 2003 Service Pack 3
* Microsoft Office XP Web Components Service Pack 3
* Microsoft Office 2003 Web Components Service Pack 3
* Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1
* Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3
* Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3
* Microsoft Internet Security and Acceleration Server 2006
* Internet Security and Acceleration Server 2006 Supportability Update
* Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
* Microsoft Office Small Business Accounting 2006
Immune Systems:
* Microsoft Office 2000 Service Pack 3
* 007 Microsoft Office Suite Service Pack 1 and 2007 Microsoft Office Suite Service Pack 2
* Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2
* Microsoft Forefront Threat Management Gateway, Medium Business Edition
* Microsoft Internet Security and Acceleration Server 2000 Service Pack 2
A remote attacker could craft a malicious HTML document which exploits the Internet Explorer. The vulnerability lies in the default ActiveX Control installed by the Microsoft Office. A crafted object may be created and passed to a method of this control that will cause memory corruption in the Internet Explorer. After the corruption has occured, a few specific actions will cause Internet Explorer to cause remote code execution through a call instruction.
Microsoft is investigating a vulnerability in Microsoft Office Web Components. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.
Mitigating Factors:
By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.
By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Workarounds
Prevent Office Web Components Library from running in Internet Explorer:
Note See Microsoft Knowledge Base Article 973472 for information on how to implement this workaround automatically.
You can disable attempts to instantiate a COM object in Internet Explorer by setting the kill bit for the control in the registry.
For detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797 . Follow the steps in this article to create a Compatibility Flags value in the registry to prevent a COM object from being instantiated in Internet Explorer.
The following Class Identifiers relate to Microsoft Office Web Components:
Class Identifier
{0002E541-0000-0000-C000-000000000046}
{0002E559-0000-0000-C000-000000000046}
Note The Class Identifiers and corresponding files where the ActiveX objects are contained are documented in the table above. Replace {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} below with the Class Identifier found in this table.
To set the kill bit for a CLSID with a value of {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}]
"Compatibility Flags"=dword:00000400
You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy.
CVE Information:
CVE-2009-1136
|
|
|
|
|
