Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19383
HistoryMar 12, 2008 - 12:00 a.m.

Microsoft Security Bulletin MS08-017 - Critical Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103)

2008-03-1200:00:00
vulners.com
41

Microsoft Security Bulletin MS08-017 - Critical
Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103)
Published: March 11, 2008

Version: 1.0
General Information
Executive Summary

This critical update resolves two privately reported vulnerabilities in Microsoft Office Web Components. These vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This is a critical security update for implementations of Microsoft Office Web Components 2000 on supported editions of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Visual Studio .NET 2002 Service Pack 1, Visual Studio .NET 2003 Service Pack 1, Microsoft BizTalk Server 2000 and Microsoft BizTalk Server 2002, Microsoft Commerce Server 2000, and Internet Security and Acceleration Server 2000 Service Pack 2. For more information, see the subsection, Affected and Non-Affected Software, in this section.

This security update addresses the security vulnerabilities by modifying the way that Microsoft Office Web Components handles error conditions and manages memory resources, and by setting the kill bits for Microsoft Office Spreadsheet 2000 controls. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update immediately.

Known Issues. None
Top of sectionTop of section
Affected and Non-Affected Software

The software listed here have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit the Microsoft Support Lifecycle.

Affected Software
Office Suite and Other Software Component Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update
Client

Microsoft Office 2000 Service Pack 3

Microsoft Office Web Components 2000
(KB931660)

Remote Code Execution

Critical

None

Microsoft Office XP Service Pack 3

Microsoft Office Web Components 2000
(KB932031)

Remote Code Execution

Critical

None

Visual Studio .NET 2002 Service Pack 1

Microsoft Office Web Components 2000
(KB933367)

Remote Code Execution

Critical

None

Visual Studio .NET 2003 Service Pack 1

Microsoft Office Web Components 2000
(KB933369)

Remote Code Execution

Critical

None
Server

Microsoft BizTalk Server 2000

Microsoft Office Web Components 2000
(KB939714)

Remote Code Execution

Critical

None

Microsoft BizTalk Server 2002

Microsoft Office Web Components 2000
(KB939714)

Remote Code Execution

Critical

None

Microsoft Commerce Server 2000

Microsoft Office Web Components 2000
(KB941305)

Remote Code Execution

Critical

None

Internet Security and Acceleration Server 2000 Service Pack 2

Microsoft Office Web Components 2000
(KB948257)

Remote Code Execution

Critical

None

Non-Affected Software
Office Suite

Microsoft Works 8

Microsoft Works 9

Microsoft Works Suite 2005

Microsoft Works Suite 2006

Microsoft Office 2003 Service Pack 2

Microsoft Office 2003 Service Pack 3

2007 Microsoft Office System

2007 Microsoft Office System Service Pack 1

Microsoft BizTalk Server 2004

Microsoft BizTalk Server 2006

Microsoft Commerce Server 2000 Service Pack 1, Microsoft Commerce Server 2000 Service Pack 2, and Microsoft Commerce Server 2000 Service Pack 3

Microsoft Commerce Server 2002

Microsoft Commerce Server 2007

Internet Security and Acceleration Server 2004

Internet Security and Acceleration Server 2006
Top of sectionTop of section

Frequently Asked Questions (FAQ) Related to This Security Update

Why does this update address several reported security vulnerabilities?
This update addresses several vulnerabilities because the modifications for these issues are located in related files. Instead of having to install several updates that are almost the same, customers need to install this update only.

I do not have all of the Affected Software installed, but I do have other Microsoft Office applications installed. Why am I being offered the security update?
The vulnerabilities described in this security update exist within Microsoft Office but could not be exploited using one of the applications listed in the Non-Affected Software table. The Microsoft Office applications listed in the Non-Affected table use some of the same files as the applications listed in the Affected Software that the security update affects. We recommend installing the update to prevent the security update from being offered again.

I am using an older version of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin has been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your product and version, visit Microsoft Support Lifecycle.

It should be a priority for customers who have older versions of the software to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.

Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.
Top of sectionTop of section
Vulnerability Information

Severity Ratings and Vulnerability Identifiers
Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software Office Web Components URL Parsing Vulnerability - CVE-2006-4695 Office Web Components DataSource Vulnerability - CVE-2007-1201 Aggregate Severity Rating

Microsoft Office Web Components 2000

Critical
Remote Code Execution

Critical
Remote Code Execution

Critical
Top of sectionTop of section

Office Web Components URL Parsing Vulnerability - CVE-2006-4695

A remote code execution vulnerability exists in the way Microsoft Office Web Components manages memory resources when parsing specially crafted URLs. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2006-4695.

Mitigating Factors for Office Web Components URL Parsing Vulnerability - CVE-2006-4695

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

By default, all supported releases of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing ActiveX controls from being used when reading HTML e-mail. However, if a user clicks on a link within an e-mail they could still be vulnerable to this issue through the Web-based attack scenario.

By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See the FAQ section of this security bulletin for more information about Internet Explorer Enhanced Security Configuration.
Top of sectionTop of section

Workarounds for Office Web Components URL Parsing Vulnerability - CVE-2006-4695

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

Prevent Office Web Components Library from running in Internet Explorer.

You can prevent the Office Web Components Library from running in Internet Explorer by setting the kill bit for the control in the registry.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

Note We recommend backing up the registry before you edit it.

For detailed steps that you can use to prevent a control from running in Office Web Components, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent the Office Web Components library from running.

Note The Class Identifiers and corresponding files where the library objects are contained are documented in the FAQ “What does the update do?” Replace {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} below with the Class Identifiers found in this section.

To set the kill bit for a CLSID with a value of {0002E510-0000-0000-C000-000000000046} and {0002E511-0000-0000-C000-000000000046}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ 0002E510-0000-0000-C000-000000000046}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E511-0000-0000-C000-000000000046}]
"Compatibility Flags"=dword:00000400

You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

Group Policy Collection

What is Group Policy Object Editor?

Core Group Policy Tools and Settings

Note You must restart Internet Explorer for your changes to take effect.

Impact of Workaround: Disabling the Office Web Component prevents Internet Explorer from instantiating the control. This configuration causes program compatibility issues when Office Web Components functionality is required.

How to undo the Workaround: You can undo the workaround documented above by following these steps:

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

Note We recommend backing up the registry before you edit it.

To undo the kill bit for a CLSID with a value of {0002E510-0000-0000-C000-000000000046}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00

;CLSID_OWC9_Spreadsheet, {0002E510-0000-0000-C000-000000000046}
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E510-0000-0000-C000-000000000046}]

;CLSID_OWC9_Spreadsheet, {0002E511-0000-0000-C000-000000000046}
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E511-0000-0000-C000-000000000046}]

Unregister the Office Web Components 2000 Library

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

Note We recommend backing up the registry before you edit it.

For Office 2000, type the following at the command prompt and select Run:

Regsvr32.exe /u "C:\Program Files\Microsoft Office\Office\MSOWC.DLL"

For Office XP, type the following at the command prompt and select Run:

Regsvr32.exe /u "C:\Program Files\Microsoft Office\Office\MSOWC.DLL"

Impact of Workaround: Applications requiring Office Web Components functionality will not function.

How to undo the Workaround: To re-register the Office Web Components 2000, follow these steps:

For Office 2000, type the following at the command prompt and select Run:

Regsvr32.exe "C:\Program Files\Microsoft Office\Office\MSOWC.DLL"

For Office XP, type the following at the command prompt and select Run:

Regsvr32.exe "C:\Program Files\Microsoft Office\Office\MSOWC.DLL"
Top of sectionTop of section

FAQ for Office Web Components URL Parsing Vulnerability - CVE-2006-4695

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability?
An error in parsing a specially crafted execution command may corrupt system memory in such a way that an attacker could execute arbitrary code.

What are Office Web Components?
Microsoft Office Web Components are a collection of Component Object Model (COM) controls for publishing spreadsheets, charts, and databases to the Web, and for viewing the published components on the Web.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?
An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers that have Microsoft Office Web Components installed are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

I am running Internet Explorer for Windows Server 2003. Does this mitigate this vulnerability?
Yes. By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.

What does the update do?
This update addresses the known security issue and sets the kill bit for a list of Class Identifiers (CLSIDs) for Office Web Components. To help protect customers, this update prevents these CLSIDs from being instantiated in Internet Explorer. For more information about kill bits, see Microsoft Knowledge Base Article 240797.

The Class Identifiers and corresponding files where the COM objects are contained are as follows:
Class Identifier File

0002E510-0000-0000-C000-000000000046

CLSID_OWC9_Spreadsheet

0002E511-0000-0000-C000-000000000046

What is a kill bit?
The kill bit is a method by which an ActiveX control can be prevented from ever being invoked via Internet Explorer, even if it's present on the system. (More information on the kill bit is available in Microsoft Knowledge Base Article 240797). Typically, when a security vulnerability involves an ActiveX control, the security update delivers a new control and sets the kill bit on the vulnerable control.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued. This security bulletin addresses the privately disclosed vulnerability as well as additional issues discovered through internal investigations.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Top of sectionTop of section
Top of sectionTop of section

Office Web Components DataSource Vulnerability – CVE-2007-1201

A remote code execution vulnerability exists in the way Microsoft Office Web Components manages memory resources. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2007-1201.

Mitigating Factors for Office Web Components DataSource Vulnerability – CVE-2007-1201

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

By default, all supported releases of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing ActiveX controls from being used when reading HTML e-mail. However, if a user clicks on a link within an e-mail they could still be vulnerable to this issue through the Web-based attack scenario.

By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See the FAQ section of this security bulletin for more information about Internet Explorer Enhanced Security Configuration.
Top of sectionTop of section

Workarounds for Office Web Components DataSource Vulnerability – CVE-2007-1201

Prevent Office Web Components Library from running in Internet Explorer.

You can prevent the Office Web Components Library from running in Internet Explorer by setting the kill bit for the control in the registry.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

Note We recommend backing up the registry before you edit it.

For detailed steps that you can use to prevent a control from running in Office Web Components, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent the Office Web Components library from running.

Note The Class Identifiers and corresponding files where the library objects are contained are documented in the FAQ “What does the update do?” Replace {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} below with the Class Identifiers found in this section.

To set the kill bit for a CLSID with a value of {0002E533-0000-0000-C000-000000000046}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ 0002E533-0000-0000-C000-000000000046}]
"Compatibility Flags"=dword:00000400

To set the kill bit for a CLSID with a value of {0002E530-0000-0000-C000-000000000046}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E530-0000-0000-C000-000000000046}]
"Compatibility Flags"=dword:00000400

You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

Group Policy Collection

What is Group Policy Object Editor?

Core Group Policy Tools and Settings

Note You must restart Internet Explorer for your changes to take effect.

Impact of Workaround: Applications requiring Office Web Components functionality will not function.

How to undo the Workaround: You can undo the workaround documented above by following these steps:

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

Note We recommend backing up the registry before you edit it.

To undo the kill bit for a CLSID with a value of {0002E510-0000-0000-C000-000000000046}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00

CLSID_OWC9_ DataSourceControl, {0002E533-0000-0000-C000-000000000046}
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E533-0000-0000-C000-000000000046}]

CLSID_OWC9_ DataSourceControl, {0002E530-0000-0000-C000-000000000046}
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E530-0000-0000-C000-000000000046}]

Unregister the Office Web Components 2000 Library

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

Note We recommend backing up the registry before you edit it.

For Office 2000, type the following at the command prompt and select Run:

Regsvr32.exe /u "C:\Program Files\Microsoft Office\Office\MSOWC.DLL"

For Office XP, type the following at the command prompt and select Run:

Regsvr32.exe /u "C:\Program Files\Microsoft Office\Office\MSOWC.DLL"

Impact of Workaround: Applications requiring Office Web Components functionality will not function.

How to undo the Workaround: To re-register the Office Web Components 2000, follow these steps:

For Office 2000, type the following at the command prompt and select Run:

Regsvr32.exe "C:\Program Files\Microsoft Office\Office\MSOWC.DLL"

For Office XP, type the following at the command prompt and select Run:

Regsvr32.exe "C:\Program Files\Microsoft Office\Office\MSOWC.DLL"
Top of sectionTop of section

FAQ for Office Web Components DataSource Vulnerability – CVE-2007-1201

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability?
An error in parsing a specially crafted execution command may corrupt system memory in such a way that an attacker could execute arbitrary code.

What are Office Web Components?
Microsoft Office Web Components are a collection of Component Object Model (COM) controls for publishing spreadsheets, charts, and databases to the Web, and for viewing the published components on the Web.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?
An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers that have Microsoft Office Web Components installed are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

What does the update do?
This update addresses the known security issue and set the kill bit for a list of Class Identifiers (CLSIDs) for Office Web Components. To help protect customers, this update prevents these CLSIDs from being instantiated in Internet Explorer. For more information about kill bits, see Microsoft Knowledge Base Article 240797.

The Class Identifiers and corresponding files where the COM objects are contained are as follows:
Class Identifier File

0002E533-0000-0000-C000-000000000046

CLSID_OWC9_ DataSourceControl

0002E530-0000-0000-C000-000000000046

What is a kill bit?
The kill bit is a method by which an ActiveX control can be prevented from ever being invoked via Internet Explorer, even if it's present on the system. (More information on the kill bit is available in Microsoft Knowledge Base article 240797). Typically, when a security vulnerability involves an ActiveX control, the security update delivers a new control and sets the kill bit on the vulnerable control.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued. This security bulletin addresses the privately disclosed vulnerability as well as additional issues discovered through internal investigations.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Other Information
Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

Chris Ries of VigilantMinds Inc. for reporting the Office Web Components URL Parsing Vulnerability – (CVE-2006-4695).

Xiao Hui of NCNIPC for reporting the Office Web Components URL Parsing Vulnerability – (CVE-2006-4695).

Yuval Ben-Itzhak of Finjan for reporting the Office Web Components DataSource Vulnerability – (CVE-2007-1201).

Support

Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Top of sectionTop of section
Revisions

V1.0 (March 11, 2008): Bulletin published.

Related for SECURITYVULNS:DOC:19383