MS-ISAC ADVISORY NUMBER:
2008-011

DATE(S) ISSUED:
3/11/2008

SUBJECT:
Microsoft Office Web Components Remote Code Execution Vulnerability

OVERVIEW:

Two vulnerabilities have been discovered in Microsoft Office Web Components which could allow a remote attacker to take complete control of an affected system. The vulnerabilities can be exploited if a user visits a specifically crafted web page. Successful exploitation will result in an attacker gaining the same user privileges as the logged on user. If the user is logged in with administrator privileges, the attacker could then install programs; view, change, or delete data; or create new accounts with full privileges.

SYSTEMS AFFECTED:

  • Microsoft Office 2000 Service Pack 3
  • Microsoft Office XP Service Pack 3
  • Microsoft Visual Studio .NET 2002 Service Pack 1
  • Microsoft Visual Studio .NET 2003 Service Pack 1
  • Microsoft BizTalk Server 2000
  • Microsoft BizTalk Server 2002
  • Microsoft Commerce Server 2002
  • Internet Security and Acceleration Server 2000 Service Pack 2

RISK:
Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
Two vulnerabilities have been discovered in Microsoft Office Web Components which could allow a remote attacker to take complete control of an affected system. Details of these vulnerabilities are as follows:

Microsoft Office Web Components URL Parsing Vulnerability
A memory corruption vulnerability has been found in the way Microsoft Office Web Components handles specially crafted URLs, which results in corruption of system memory in such a way that an attacker could execute arbitrary code.

Microsoft Office Web Components DataSource Vulnerability
Another memory corruption vulnerability has been discovered in the way Microsoft Office Web Components manages memory resources, which results in corruption of system memory in such a way that an attacker could execute arbitrary code.

Both of these vulnerabilities can be exploited if a user visits a specially crafted malicious web site. Successful exploitation could allow an attacker to execute arbitrary code on the system. If the user is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges.

RECOMMENDATIONS:

We recommends the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing. The patch is available at: http://www.microsoft.com/technet/security/bulletin/ms08-017.mspx(New Window)
  • Do not visit unknown or un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Ensure that all anti-virus software is up to date with the latest signatures.
  • Block un-trusted incoming traffic from the Internet at your network perimeter.

REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS08-017.mspx(New Window)

SecurityFocus:
http://www.securityfocus.com/bid/28135(New Window)

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4695(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1201(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.