|
UPDATE 7/13/09 3:09 PM CST
The SANS Internet Storm Center has moved to Infocon: Yellow regarding this exploit. Infocon: Yellow is defined as the following:
We are currently tracking a significant new threat. The impact is either unknown or expected to be minor to the infrastructure. However, local impact could be significant. Users are advised to take immediate specific action to contain the impact. Example: 'MSBlaster' worm outbreak.
They updated at 2:35pm today indicating that this vulnerability is ACTIVELY EXPLOITED on certain web sites. Your users may receive e-mail messages that attempt to entice them to click on a link. They may also become infected via malicious search results.
The killbits mentioned below should be set as soon as possible. Microsoft has provided a .msi to make this process simple, especially for departments with remote desktop management solutions. You should also strongly consider switching your users' default browsers to one that does not use ActiveX.
More here: http://isc.sans.org/diary.html?storyid=6778
Affected Systems:
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
Microsoft Office XP Web Components Service Pack 3
Microsoft Office Web Components 2003 Service Pack 3
Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1
Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3
Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3
Microsoft Internet Security and Acceleration Server 2006
Internet Security and Acceleration Server 2006 Supportability Update
Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
Microsoft Office Small Business Accounting 2006
Please note:
This is NOT related to the ActiveX 0-day announced last week.
Description:
The SANS Internet Storm Center believes exploits for this vulnerability are currently only being used in targeted attacks. They have not yet seen an example of this exploit. They are recommending that desktop administrators move with great haste to implement this workaround due to the fact that it could quickly become a broad-based attack. There is no patch or fix available aside from the workaround named in the Solutions section.
Solution:
Use the Microsoft-supplied "Fix it" or set the killbits for this ActiveX control manually. The Fix it for this vulnerability can be downloaded here: http://go.microsoft.com/?linkid=9672747
References:
Microsoft Security Advisory: Vulnerability in Microsoft Office Web Components control could allow remote code execution
Source:
Microsoft Security Advisory 973472 Released
Microsoft Security Advisory (973472) Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution
|
