SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Microsoft Office Vendors:  Microsoft
Microsoft Office Web Components Buffer Overflows in ActiveX Control Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1022708
SecurityTracker URL:  http://securitytracker.com/id?1022708
CVE Reference:  CVE-2009-0562 ,  CVE-2009-2496 ,  CVE-2009-1534   (Links to External Site)
Updated:  Oct 28 2009
Original Entry Date:  Aug 11 2009
Impact:  Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Advisory:  Microsoft Security Bulletin
Version(s): 2000 SP3, 2003 SP3, XP SP3; and prior service packs
Description:  Several vulnerabilities were reported in Microsoft Office. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a buffer overflow or memory allocation error in the Office Web Components ActiveX control and execute arbitrary code on the target system. The code will run with the privileges of the target user.

Microsoft Internet Security and Acceleration Server 2004 SP3 and 2006 SP1, Microsoft BizTalk Server 2002, Microsoft Visual Studio .NET 2003 SP1, and Microsoft Office Small Business Accounting 2006 are also affected.

Peter Vreugdenhil of Zero Day Initiative and Sean Larsson of VeriSign iDefense Labs each reported some of these vulnerabilities.
Impact:  A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:  The vendor has issued the following fixes:

Microsoft Office XP Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?familyid=60e2e4e7-aa75-441d-b6fc-7e850 bf8e580

Microsoft Office 2003 Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?familyid=95c94c9a-6aca-42fb-9679-3234f06c72f7

Microsoft Office 2000 Web Components Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?familyid=60e2e4e7-aa75-441d-b6fc-7e850bf8e580

Microsoft Office XP Web Components Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?familyid=60e2e4e7-aa75-441d-b6fc-7e850bf8e580

Microsoft Office 2003 Web Components Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?familyid=95c94c9a-6aca-42fb-9679-3234f06c72f7

Microsoft Office 2003 Web Components Service Pack 1 for the 2007 Microsoft Office System:

http://www.microsoft.com/downloads/details.aspx?familyid=644008e0-77c9-4a02-ac9b-e30d09 30c4be

Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?familyid=8f79a073-2 7e8-46ef-87d8-f09b93521326

Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3:

http://www.microsoft.com/downloads/details.as px?familyid=8f79a073-27e8-46ef-87d8-f09b93521326

Microsoft Internet Security and Acceleration Server 2006 Standard Edition Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?familyid=8f79a073-27e8-46ef-87d8-f09b93521326

Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?familyid=8f79a073-27e8-46ef-87d8-f09b93521326

Micros oft BizTalk Server 2002:

http://www.microsoft.com/downloads/details.aspx?familyid=495839b6-0322-4755-997d-4a7762c53333

Microsoft Visual Studio .NET 2003 Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?familyid=ba2915a0-f5f4-4e18-b0c0-534d2a948585

Microsoft Office Small Business Accounting 2006:

http://www.microsoft.com/downloads/details.aspx?familyid=0d77ddb3-4d34-4cfe-913b-d05981f59a82

A restart may be required.

On October 27, 2009, Microsoft rereleased MS09-043 to correct a detection issue for Office 2003 SP3 and Office 2003 Web Components SP3. The binaries were not changed. Customers that have already applied the fix do not need to reinstall the update.

The Microsoft advisory is available at:

http://www.microsoft.com/technet/security/bulletin/ms09-043.mspx
Vendor URL:  www.microsoft.com/technet/security/bulletin/ms09-043.mspx (Links to External Site)
Cause:  Access control error, Boundary error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Tue, 11 Aug 2009 13:08:03 -0400
Subject:  http://www.microsoft.com/technet/security/bulletin/ms09-043.mspx

 
 
Microsoft Security Bulletin MS09-043 - Critical: Vulnerabilities in Microsoft Office Web Components C
ould Allow Remote Code Execution (957638)
 
CVE-2009-0562
CVE-2009-2496
CVE-2009-1136
CVE-2009-1534


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC