Overview
A vulnerability in Microsoft Office Web Components may allow remote code execution.
A vulnerability in Microsoft Office Web Components may allow remote code execution. The flaw is specific to the use of a specific ActiveX control within Internet Explorer. Upon exploitation, the system may be left in a state which could allow an attacker to run arbitrary code. The affected control can be identified via the following CLSIDs: 0002E559-0000-0000-C000-000000000046 0002E541-0000-0000-C000-000000000046 Exploitation can be achieved via a specially-crafted web page, designed to target this vulnerability.
Attack VectorWebsite with malicious content
User Interactionuser interaction is needed
Vendor StatusResponded and patched
Vulnerable Systems
Office Small Business Accounting
2006,
Timeline
http://vil.nai.com/vil/content/v_179225.htm
2009-07-13Vendor has provided information on the vulnerability.
2009-07-16A proof of concept has been released.
2009-07-21A proof of concept has been released.
2009-08-11Vendor has provided a patch.
Recommendations
The vendor has released a patch to address this issue:
http://www.microsoft.com/technet/security/bulletin/ms09-043.mspx
Recommendations McAfee Product Mitigation
Additional Resources
Microsoft Security Bulletin MS09-043 - Critical Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638)
http://www.microsoft.com/technet/security/bulletin/ms09-043.mspx