MA-178.072009: MyCERT Alert - 0day in Microsoft Office Web Components 1.0 Introduction A critical vulnerability has been identified in Microsoft Office Web Components. The Office Web Components allow users to view spreadsheets, charts and databases on the Web. According to Microsoft, the vulnerability is in the Spreadsheet ActiveX Control, which is used by Internet Explorer (IE) to display the data in the browser. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. MyCERT is aware that a '0-day' exploit is being available in the wild and actively being used by the attacker. 2.0 Impact By exploiting this vulnerability, an attacker could execute arbitrary code on vulnerable installations of Microsoft Office Web Components and gain the same privilege as the user. This vulnerability could be exploited to install malware on the user's computer. 3.0 Affected Products Microsoft Windows operating systems listed below are vulnerable to this vulnerability: - Microsoft Office XP Service Pack 3
- Microsoft Office 2003 Service Pack 3
- Microsoft Office XP Web Components Service Pack 3
- Microsoft Office 2003 Web Components Service Pack 3
- Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1
- Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3
- Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3
- Microsoft Internet Security and Acceleration Server 2006
- Internet Security and Acceleration Server 2006 Supportability Update
- Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
- Microsoft Office Small Business Accounting 2006
4.0 Recommendation At the time of this writing, Microsoft has not released any patches to address this vulnerability. However, users are recommended to prevent Office Web Components Library from running in Internet Explorer. Users can prevent an ActiveX control from running in Internet Explorer by setting the kill bit so that Internet Explorer never calls the control when default settings are used. The Class Identification (CLSID) to be disabled are: - {0002E541-0000-0000-C000-000000000046}
- {0002E559-0000-0000-C000-000000000046}
To implement the workaround that disables the Office Web Components Library automatically, download MicrosoftFixit from this link http://go.microsoft.com/?linkid=9672747 and follow the steps in the wizard. This MicrosoftFixit applies to: - Microsoft Office Small Business Accounting 2006
- Microsoft Office 2003 Web Components for the 2007 Microsoft Office system
- Microsoft Office 2003 Service Pack 3
- Microsoft Office 2003 Web Components
- Microsoft Internet Security and Acceleration Server 2004 Standard Edition
If you are unable to download it or prefer to the manual way, below are the steps to disable/blacklist the ActiveX: 
- Use Registry Editor to view the data value of the Compatibility Flags DWORD value of the ActiveX object CLSID in the following registry key
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\
- Create a new CLSID to be disabled. In this case, the CLSID is {0002E541-0000-0000-C000-000000000046}
- Create or Modified the DWORD value of Compatibility Flags value in the registry
- Change the value of the Compatibility Flags DWORD value to 0x00000400
- Repeat the steps above but this time the CLSID to be disabled is {0002E559-0000-0000-C000-000000000046}
Generally, MyCERT advises the users of this product to be updated with the latest security announcements by the vendor. Users who receive suspicious video files or URL can forward them to MyCERT for further analysis. MyCERT can be reached through the following channels: E-mail : mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my 5.0 References |
