SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Microsoft Office Vendors:   Microsoft
Microsoft Office Web Components Buffer Overflows in ActiveX Control Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1022708
SecurityTracker URL:  http://securitytracker.com/id/1022708
CVE Reference:   CVE-2009-0562, CVE-2009-2496, CVE-2009-1534   (Links to External Site)
Updated:  Oct 28 2009
Original Entry Date:  Aug 11 2009
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2000 SP3, 2003 SP3, XP SP3; and prior service packs
Description:   Several vulnerabilities were reported in Microsoft Office. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a buffer overflow or memory allocation error in the Office Web Components ActiveX control and execute arbitrary code on the target system. The code will run with the privileges of the target user.

Microsoft Internet Security and Acceleration Server 2004 SP3 and 2006 SP1, Microsoft BizTalk Server 2002, Microsoft Visual Studio .NET 2003 SP1, and Microsoft Office Small Business Accounting 2006 are also affected.

Peter Vreugdenhil of Zero Day Initiative and Sean Larsson of VeriSign iDefense Labs each reported some of these vulnerabilities.

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   The vendor has issued the following fixes:

Microsoft Office XP Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?familyid=60e2e4e7-aa75-441d-b6fc-7e850bf8e580

Microsoft Office 2003 Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?familyid=95c94c9a-6aca-42fb-9679-3234f06c72f7

Microsoft Office 2000 Web Components Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?familyid=60e2e4e7-aa75-441d-b6fc-7e850bf8e580

Microsoft Office XP Web Components Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?familyid=60e2e4e7-aa75-441d-b6fc-7e850bf8e580

Microsoft Office 2003 Web Components Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?familyid=95c94c9a-6aca-42fb-9679-3234f06c72f7

Microsoft Office 2003 Web Components Service Pack 1 for the 2007 Microsoft Office System:

http://www.microsoft.com/downloads/details.aspx?familyid=644008e0-77c9-4a02-ac9b-e30d0930c4be

Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?familyid=8f79a073-27e8-46ef-87d8-f09b93521326

Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?familyid=8f79a073-27e8-46ef-87d8-f09b93521326

Microsoft Internet Security and Acceleration Server 2006 Standard Edition Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?familyid=8f79a073-27e8-46ef-87d8-f09b93521326

Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?familyid=8f79a073-27e8-46ef-87d8-f09b93521326

Microsoft BizTalk Server 2002:

http://www.microsoft.com/downloads/details.aspx?familyid=495839b6-0322-4755-997d-4a7762c53333

Microsoft Visual Studio .NET 2003 Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?familyid=ba2915a0-f5f4-4e18-b0c0-534d2a948585

Microsoft Office Small Business Accounting 2006:

http://www.microsoft.com/downloads/details.aspx?familyid=0d77ddb3-4d34-4cfe-913b-d05981f59a82

A restart may be required.

On October 27, 2009, Microsoft rereleased MS09-043 to correct a detection issue for Office 2003 SP3 and Office 2003 Web Components SP3. The binaries were not changed. Customers that have already applied the fix do not need to reinstall the update.

The Microsoft advisory is available at:

http://www.microsoft.com/technet/security/bulletin/ms09-043.mspx

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms09-043.mspx (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC