Advisories » Microsoft Office Web Components Remote Code Execution Vulnerabilities
| Release Date: | 11/03/2008 | Severity: | Highly Critical  |
| SecWatch Advisory: | SWID1020627 | Cause: | Not specified |
| Solution Status: | Vendor Patch | Impact: | Execution of arbitrary code |
| Exploit Status: | None Available | Access Vector: | From remote |
| Affected Software: | Microsoft BizTalk Server 2000 Microsoft BizTalk Server 2002 Microsoft Commerce Server 2000 Microsoft ISA Server 2000 Microsoft Office 2000 Microsoft Office Web Components 2000 Microsoft Office XP Microsoft Visual Studio .NET 2002 Microsoft Visual Studio .NET 2003 |
||
| References: | FrSIRT/ADV-2008-0849 |
||
| CVE: | CVE-2006-4695 CVE-2007-1201 | ||
| Microsoft: | MS08-017 |
||
| Secunia: | SA29328 | ||
Description:
Two vulnerabilities in Microsoft Office Web Components have been reported, which can be exploited by remote users to compromise a vulnerable system.
1) An error exists when parsing certain URLs, which can be exploited to corrupt memory and potentially execute arbitrary code.
2) An error exists when parsing crafted execution commands, can be exploited to corrupt memory and execute arbitrary code.
Solution:
The vulnerabilities have been fixed, apply patches:
http://www.microsoft.com/techn...ecurity/Bulletin/MS08-017.mspx
Credits:
Chris Ries of VigilantMinds Inc, Xiao Hui of NCNIPC. and Yuval Ben-Itzhak of Finjan.
Free Vulnerability Notification Service
Receive free instant and customisable notifications of new vulnerabilities or exploits via e-mail, web or RSS feeds. Click here for more information.
Related Vulnerabilities and Exploits
21 Mar 08: Microsoft Office Excel Code Execution Exploit (M.. (zha0_ms08_014.rar)
11 Mar 08: Microsoft Excel Multiple Remote Code Execution Vulnerabilities
16 Jan 08: Microsoft Excel File Handling Remote Arbitrary Code Execution Vul..
09 Oct 07: Microsoft Word Unspecified Remote Memory Corruption Vulnerability..
15 Feb 07: Microsoft Word Unspecified Document Handling Remote Memory Corrup..