Vulnerability Note VU#545228

Microsoft Office Web Components Spreadsheet ActiveX control vulnerability

Overview

The Microsoft Office Web Components Spreadsheet ActiveX controls (OWC10 and OWC11) contain a vulnerability that may allow an attacker to take control of a vulnerable system.

I. Description

The Office Web Components Spreadsheet ActiveX control contains a code execution vulnerability. Public reports indicate that this vulnerability is being actively exploited.

Per the MSRC blog, the following products may install the affected control on a system:

Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, Microsoft Office XP Web Components Service Pack 3, Microsoft Office Web Components 2003 Service Pack 3, Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1, Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2006, Internet Security and Acceleration Server 2006 Supportability Update, Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, Microsoft Office Small Business Accounting 2006.

Further details are available from the Microsoft Security Research & Defense blog.

II. Impact

A remote attacker may be able to take control of a vulnerable system.

III. Solution

Until updates are available, the below workaround will mitigate this vulnerability.

Disable the Office Web Components Spreadsheet ActiveX controls in Internet Explorer



The vulnerable controls can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs:

{0002E541-0000-0000-C000-000000000046} (OWC10)
{0002E559-0000-0000-C000-000000000046} (OWC11)

More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for these controls:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}]
"Compatibility Flags"=dword:00000400

Disable ActiveX



Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Microsoft Corporation	Vulnerable		2009-07-15

References

http://www.cert.org/tech_tips/securing_browser/

http://www.microsoft.com/technet/security/advisory/973472.mspx

http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx

http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx

http://support.microsoft.com/kb/240797

Credit

Thanks to Microsoft for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public:	2009-07-13
Date First Published:	2009-07-15
Date Last Updated:	2009-07-15
CERT Advisory:
CVE-ID(s):	CVE-2009-1136
NVD-ID(s):	CVE-2009-1136
US-CERT Technical Alerts:	TA09-195A
Metric:	44.04
Document Revision:	15

Vulnerability Note VU#545228

Microsoft Office Web Components Spreadsheet ActiveX control vulnerability

Overview

The Microsoft Office Web Components Spreadsheet ActiveX controls (OWC10 and OWC11) contain a vulnerability that may allow an attacker to take control of a vulnerable system.

I. Description

The Office Web Components Spreadsheet ActiveX control contains a code execution vulnerability. Public reports indicate that this vulnerability is being actively exploited.

Per the MSRC blog, the following products may install the affected control on a system:

Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, Microsoft Office XP Web Components Service Pack 3, Microsoft Office Web Components 2003 Service Pack 3, Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1, Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2006, Internet Security and Acceleration Server 2006 Supportability Update, Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, Microsoft Office Small Business Accounting 2006.

Further details are available from the Microsoft Security Research & Defense blog.

II. Impact

A remote attacker may be able to take control of a vulnerable system.

III. Solution

Until updates are available, the below workaround will mitigate this vulnerability.

Disable the Office Web Components Spreadsheet ActiveX controls in Internet Explorer



The vulnerable controls can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs:

{0002E541-0000-0000-C000-000000000046} (OWC10)
{0002E559-0000-0000-C000-000000000046} (OWC11)

More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for these controls:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}]
"Compatibility Flags"=dword:00000400

Disable ActiveX



Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Microsoft Corporation	Vulnerable		2009-07-15

References

http://www.cert.org/tech_tips/securing_browser/

http://www.microsoft.com/technet/security/advisory/973472.mspx

http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx

http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx

http://support.microsoft.com/kb/240797

Credit

Thanks to Microsoft for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public:	2009-07-13
Date First Published:	2009-07-15
Date Last Updated:	2009-08-07
CERT Advisory:
CVE-ID(s):	CVE-2009-1136
NVD-ID(s):	CVE-2009-1136
US-CERT Technical Alerts:	TA09-195A
Metric:	44.04
Document Revision:	17

Vulnerability Note VU#627331

Microsoft Office PowerPoint code execution vulnerability

Overview

Microsoft PowerPoint contains a vulnerability. If exploited, this vulnerability could allow an attacker to execute code.

I. Description

Microsoft Powerpoint is a component of Microsoft Office. Per Microsoft Security Advisory 969136:

The vulnerability is caused when Microsoft Office PowerPoint accesses an invalid object in memory when parsing a specially crafted PowerPoint file. This creates a condition that allows the attacker to execute arbitrary code.

The advisory also states that Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003, and Microsoft Office 2004 for Mac are affected.

II. Impact

A remote attacker may be able to execute code with the privileges of the user running PowerPoint.

III. Solution

We are currently unaware of solution to this problem. Until updates are available, users are encouraged to use the below workarounds.

Do not open untrusted PowerPoint documents



Do not open unfamiliar or unexpected PowerPoint or other Office documents, particularly those hosted on web sites or delivered as email attachments.





Do not rely on file name extension filtering



In most cases, Windows will call PowerPoint to open a document even if the document has an unknown file extension. For example, if presentation.qwer contains the correct file header information, Windows will open presentation.qwer with PowerPoint. Filtering for common extensions (e.g., .ppt, .pot, and .pps) will not detect all PowerPoint documents. Additionally, a PowerPoint file with no file extension will also open with the PowerPoint application.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Microsoft Corporation	Vulnerable		2009-04-03

References

http://www.microsoft.com/technet/security/advisory/969136.mspx

http://blogs.technet.com/mmpc/archive/2009/04/02/new-0-day-exploits-using-powerpoint-files.aspx

Credit

Information from Microsoft Security Advisory 969136 was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public:	2009-04-02
Date First Published:	2009-04-03
Date Last Updated:	2009-04-03
CERT Advisory:
CVE-ID(s):	CVE-2009-0556
NVD-ID(s):	CVE-2009-0556
US-CERT Technical Alerts:
Metric:	9.28
Document Revision:	11

Vulnerability Note VU#319331

Microsoft Windows DNS Server response validation vulnerability

Overview

The Microsoft Windows DNS server contains a response validation vulnerability. If successfully exploited, this vulnerability may allow an attacker to poison the affected DNS server's cache.

I. Description

The Domain Name System (DNS) is responsible for translating host names to IP addresses (and vice versa) and is critical for the normal operation of internet-connected systems.

Per Microsoft Security Bulletin MS09-008:

A response validation vulnerability exists in Windows DNS Server. The vulnerability could allow an unauthenticated remote attacker to send specially crafted queries to a DNS server so as to allow greater predictability of transaction IDs used by the DNS server and thus to redirect Internet traffic from legitimate locations.

II. Impact

An attacker may be able to insert arbitrary values in the DNS cache. An attacker with the ability to conduct a successful attack can cause a nameserver's clients to contact the incorrect, and possibly malicious, hosts for particular services. Consequently, web traffic, email, and other important network data can be redirected to systems under the attacker's control.

III. Solution

Upgrade

Microsoft has released an update to address this issue. See http://www.microsoft.com/technet/security/bulletin/MS09-008.mspx for more information.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Microsoft Corporation	Vulnerable		2009-03-10

References

http://www.microsoft.com/technet/security/Bulletin/MS09-mar.mspx

http://www.microsoft.com/technet/security/bulletin/MS09-008.mspx

Credit

Information from Microsoft Security Bulletin MS09-008 was used in this report. Microsoft credits Kevin Day and Dave Dagon for providing assistance with this issue.

This document was written by Ryan Giobbi.

Other Information

Date Public:	2009-03-10
Date First Published:	2009-03-10
Date Last Updated:	2009-03-17
CERT Advisory:
CVE-ID(s):	CVE-2009-0234
NVD-ID(s):	CVE-2009-0234
US-CERT Technical Alerts:
Metric:	10.13
Document Revision:	21

Vulnerability Note VU#343971

ABB PCU400 vulnerable to buffer overflow

Overview

ABB PCU400 contains a vulnerability which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

The ABB PCU400 application serves as a communication gateway between RTUs that use the IEC-870-5-104 protocol and the SCADA server. The diagnostic web application contains a software flaw which allows an attacker to gain full access on the PCU400 server by sending a specially crafted packet to the X87 web interface on TCP port 8087.

Note that this issue affects PCU400 installations running the IEC60870-5-101/104 protocol based on X87.

II. Impact

A remote attacker may be able to execute arbitrary code with the privileges of the account running the x87 application.

III. Solution

Upgrade or Patch

According to ABB:

This issue is corrected in version 3.5.5 of the x87 executable. To obtain a patch or upgrade software please contact your vendor. The x87 executable is considered obsolete in newer versions of the PCU 400 and should be replaced by the newer x88 or x89 executable where applicable.

Restrict Access



This diagnostic web application is designed to be used locally. Restrictions should be put in place to limit remote access. According to ABB:

Unless there is a specific reason, a host based filter like the built-in firewall in Windows XP should be activated for the port 8087, denying access to the web interface from a remote location.

Systems Affected

Vendor	Status	Date Notified	Date Updated
ABB	Vulnerable		2008-10-08

References

http://www.digitalbond.com/wiki/index.php/ABB_PCU400_Remote_Buffer_Overflow

http://www.securityfocus.com/archive/1/496739/30/0/threaded

Credit

This issue was reported by Eyal Udassin and Idan Ofrat of C4 Security.

This document was written by Chris Taschner.

Other Information

Date Public:	2008-09-25
Date First Published:	2008-09-25
Date Last Updated:	2009-03-03
CERT Advisory:
CVE-ID(s):	CVE-2008-2474
NVD-ID(s):	CVE-2008-2474
US-CERT Technical Alerts:
Metric:	3.28
Document Revision:	22