certfr_avis - certa-2009-avi-331

CERTA-2009-AVI-331

Vulnerability from certfr_avis

De multiples vulnérabilités ont été identifiées dans Microsoft Office Web Components. Elles peuvent être exploitées par une personne distante afin d'exécuter du code arbitraire sur le système.

Description

De multiples vulnérabilités ont été identifiées dans Microsoft Office Web Components. Il s'agit d'un ensemble de contrôles COM (Component Object Model) utilisés pour la publication de feuilles de calcul, de graphiques et de bases de données sur le Web ainsi que pour l'affichage de composants publiés sur le Web.

Une personne distante pourrait ainsi chercher à exploiter ces vulnérabilités par le biais d'une page Web spécialement conçue.

Solution

Se référer au bulletin de sécurité Microsoft MS09-043 pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Microsoft	Office	Microsoft Office 2003 Web Components Service Pack 3 ;
Microsoft	Office	Microsoft Office XP Service Pack 3 ;
Microsoft	Office	Microsoft Office 2003 Web Components Service Pack 1 pour Microsoft Office System 2007 ;
Microsoft	Office	Microsoft Office XP Web Components Service Pack ;
Microsoft	Office	Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3 ;
Microsoft	Office	Microsoft BizTalk Server 2002 ;
Microsoft	Office	Microsoft Internet Security and Acceleration Server 2006 Standard Edition Service Pack 1 ;
Microsoft	Office	Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition Service Pack 1 ;
Microsoft	Office	Microsoft Office 2003 Service Pack 3 ;
Microsoft	Office	Microsoft Office Small Business Accounting 2006.
Microsoft	Office	Microsoft Office 2000 Web Components Service Pack 3 ;
Microsoft	Office	Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3 ;
Microsoft	Office	Microsoft Visual Studio .NET 2003 Service Pack 1 ;

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft MS09-043 du 11 août 2009

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Microsoft Office 2003 Web Components Service Pack 3 ;",
      "product": {
        "name": "Office",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Office XP Service Pack 3 ;",
      "product": {
        "name": "Office",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Office 2003 Web Components Service Pack 1 pour Microsoft Office System 2007 ;",
      "product": {
        "name": "Office",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Office XP Web Components Service Pack ;",
      "product": {
        "name": "Office",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3 ;",
      "product": {
        "name": "Office",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft BizTalk Server 2002 ;",
      "product": {
        "name": "Office",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Internet Security and Acceleration Server 2006 Standard Edition Service Pack 1 ;",
      "product": {
        "name": "Office",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition Service Pack 1 ;",
      "product": {
        "name": "Office",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Office 2003 Service Pack 3 ;",
      "product": {
        "name": "Office",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Office Small Business Accounting 2006.",
      "product": {
        "name": "Office",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Office 2000 Web Components Service Pack 3 ;",
      "product": {
        "name": "Office",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3 ;",
      "product": {
        "name": "Office",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    },
    {
      "description": "Microsoft Visual Studio .NET 2003 Service Pack 1 ;",
      "product": {
        "name": "Office",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nDe multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 identifi\u00e9es dans Microsoft Office\nWeb Components. Il s\u0027agit d\u0027un ensemble de contr\u00f4les COM (Component\nObject Model) utilis\u00e9s pour la publication de feuilles de calcul, de\ngraphiques et de bases de donn\u00e9es sur le Web ainsi que pour l\u0027affichage\nde composants publi\u00e9s sur le Web.\n\nUne personne distante pourrait ainsi chercher \u00e0 exploiter ces\nvuln\u00e9rabilit\u00e9s par le biais d\u0027une page Web sp\u00e9cialement con\u00e7ue.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 Microsoft MS09-043 pour l\u0027obtention\ndes correctifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2009-1534",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-1534"
    },
    {
      "name": "CVE-2009-2496",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-2496"
    },
    {
      "name": "CVE-2009-0562",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0562"
    },
    {
      "name": "CVE-2009-1136",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-1136"
    }
  ],
  "initial_release_date": "2009-08-12T00:00:00",
  "last_revision_date": "2009-08-12T00:00:00",
  "links": [],
  "reference": "CERTA-2009-AVI-331",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2009-08-12T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 identifi\u00e9es dans Microsoft Office\nWeb Components. Elles peuvent \u00eatre exploit\u00e9es par une personne distante\nafin d\u0027ex\u00e9cuter du code arbitraire sur le syst\u00e8me.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Microsoft Office Web Components",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft MS09-043 du 11 ao\u00fbt 2009",
      "url": "http://www.microsoft.com/technet/security/Bulletin/MS09-043.mspx"
    }
  ]
}

CVE-2009-0562 (GCVE-0-2009-0562)

Vulnerability from cvelistv5

Published

2009-08-12 17:00

Modified

2024-08-07 04:40

Severity ?

CWE

Summary

The Office Web Components ActiveX Control in Microsoft Office XP SP3, Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 SP1, and Office Small Business Accounting 2006 does not properly allocate memory, which allows remote attackers to execute arbitrary code via unspecified vectors that trigger "system state" corruption, aka "Office Web Components Memory Allocation Vulnerability."

References

URL

Tags

	http://www.us-cert.gov/cas/techalerts/TA09-223A.html	third-party-advisory, x_refsource_CERT
	http://www.securitytracker.com/id?1022708	vdb-entry, x_refsource_SECTRACK
	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6337	vdb-entry, signature, x_refsource_OVAL
	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-043	vendor-advisory, x_refsource_MS

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T04:40:05.053Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "TA09-223A",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT",
              "x_transferred"
            ],
            "url": "http://www.us-cert.gov/cas/techalerts/TA09-223A.html"
          },
          {
            "name": "1022708",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id?1022708"
          },
          {
            "name": "oval:org.mitre.oval:def:6337",
            "tags": [
              "vdb-entry",
              "signature",
              "x_refsource_OVAL",
              "x_transferred"
            ],
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6337"
          },
          {
            "name": "MS09-043",
            "tags": [
              "vendor-advisory",
              "x_refsource_MS",
              "x_transferred"
            ],
            "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-043"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2009-08-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Office Web Components ActiveX Control in Microsoft Office XP SP3, Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 SP1, and Office Small Business Accounting 2006 does not properly allocate memory, which allows remote attackers to execute arbitrary code via unspecified vectors that trigger \"system state\" corruption, aka \"Office Web Components Memory Allocation Vulnerability.\""
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-12T19:57:01",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "TA09-223A",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT"
          ],
          "url": "http://www.us-cert.gov/cas/techalerts/TA09-223A.html"
        },
        {
          "name": "1022708",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id?1022708"
        },
        {
          "name": "oval:org.mitre.oval:def:6337",
          "tags": [
            "vdb-entry",
            "signature",
            "x_refsource_OVAL"
          ],
          "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6337"
        },
        {
          "name": "MS09-043",
          "tags": [
            "vendor-advisory",
            "x_refsource_MS"
          ],
          "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-043"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@microsoft.com",
          "ID": "CVE-2009-0562",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Office Web Components ActiveX Control in Microsoft Office XP SP3, Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 SP1, and Office Small Business Accounting 2006 does not properly allocate memory, which allows remote attackers to execute arbitrary code via unspecified vectors that trigger \"system state\" corruption, aka \"Office Web Components Memory Allocation Vulnerability.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "TA09-223A",
              "refsource": "CERT",
              "url": "http://www.us-cert.gov/cas/techalerts/TA09-223A.html"
            },
            {
              "name": "1022708",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id?1022708"
            },
            {
              "name": "oval:org.mitre.oval:def:6337",
              "refsource": "OVAL",
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6337"
            },
            {
              "name": "MS09-043",
              "refsource": "MS",
              "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-043"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2009-0562",
    "datePublished": "2009-08-12T17:00:00",
    "dateReserved": "2009-02-12T00:00:00",
    "dateUpdated": "2024-08-07T04:40:05.053Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2009-2496 (GCVE-0-2009-2496)

Vulnerability from cvelistv5

Published

2009-08-12 17:00

Modified

2024-08-07 05:52

Severity ?

CWE

Summary

Heap-based buffer overflow in the Office Web Components ActiveX Control in Microsoft Office XP SP3, Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 SP1, and Office Small Business Accounting 2006 allows remote attackers to execute arbitrary code via unspecified parameters to unknown methods, aka "Office Web Components Heap Corruption Vulnerability."

References

URL

Tags

	http://www.us-cert.gov/cas/techalerts/TA09-223A.html	third-party-advisory, x_refsource_CERT
	http://www.securitytracker.com/id?1022708	vdb-entry, x_refsource_SECTRACK
	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5645	vdb-entry, signature, x_refsource_OVAL
	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-043	vendor-advisory, x_refsource_MS

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T05:52:14.657Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "TA09-223A",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT",
              "x_transferred"
            ],
            "url": "http://www.us-cert.gov/cas/techalerts/TA09-223A.html"
          },
          {
            "name": "1022708",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id?1022708"
          },
          {
            "name": "oval:org.mitre.oval:def:5645",
            "tags": [
              "vdb-entry",
              "signature",
              "x_refsource_OVAL",
              "x_transferred"
            ],
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5645"
          },
          {
            "name": "MS09-043",
            "tags": [
              "vendor-advisory",
              "x_refsource_MS",
              "x_transferred"
            ],
            "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-043"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2009-08-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Heap-based buffer overflow in the Office Web Components ActiveX Control in Microsoft Office XP SP3, Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 SP1, and Office Small Business Accounting 2006 allows remote attackers to execute arbitrary code via unspecified parameters to unknown methods, aka \"Office Web Components Heap Corruption Vulnerability.\""
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-12T19:57:01",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "TA09-223A",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT"
          ],
          "url": "http://www.us-cert.gov/cas/techalerts/TA09-223A.html"
        },
        {
          "name": "1022708",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id?1022708"
        },
        {
          "name": "oval:org.mitre.oval:def:5645",
          "tags": [
            "vdb-entry",
            "signature",
            "x_refsource_OVAL"
          ],
          "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5645"
        },
        {
          "name": "MS09-043",
          "tags": [
            "vendor-advisory",
            "x_refsource_MS"
          ],
          "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-043"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@microsoft.com",
          "ID": "CVE-2009-2496",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Heap-based buffer overflow in the Office Web Components ActiveX Control in Microsoft Office XP SP3, Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 SP1, and Office Small Business Accounting 2006 allows remote attackers to execute arbitrary code via unspecified parameters to unknown methods, aka \"Office Web Components Heap Corruption Vulnerability.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "TA09-223A",
              "refsource": "CERT",
              "url": "http://www.us-cert.gov/cas/techalerts/TA09-223A.html"
            },
            {
              "name": "1022708",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id?1022708"
            },
            {
              "name": "oval:org.mitre.oval:def:5645",
              "refsource": "OVAL",
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5645"
            },
            {
              "name": "MS09-043",
              "refsource": "MS",
              "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-043"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2009-2496",
    "datePublished": "2009-08-12T17:00:00",
    "dateReserved": "2009-07-17T00:00:00",
    "dateUpdated": "2024-08-07T05:52:14.657Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2009-1136 (GCVE-0-2009-1136)

Vulnerability from cvelistv5

Published

2009-07-15 15:00

Modified

2024-08-07 05:04

Severity ?

CWE

Summary

The Microsoft Office Web Components Spreadsheet ActiveX control (aka OWC10 or OWC11), as distributed in Office XP SP3 and Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 Gold and SP1, and Office Small Business Accounting 2006, when used in Internet Explorer, allows remote attackers to execute arbitrary code via a crafted call to the msDataSourceObject method, as exploited in the wild in July and August 2009, aka "Office Web Components HTML Script Vulnerability."

References

URL

Tags

	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5809	vdb-entry, signature, x_refsource_OVAL
	http://isc.sans.org/diary.html?storyid=6778	x_refsource_MISC
	http://www.us-cert.gov/cas/techalerts/TA09-223A.html	third-party-advisory, x_refsource_CERT
	http://www.microsoft.com/technet/security/advisory/973472.mspx	x_refsource_CONFIRM
	http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx	x_refsource_CONFIRM
	http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx	x_refsource_CONFIRM
	http://xeye.us/blog/2009/07/one-0day/	x_refsource_MISC
	http://trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/owc_spreadsheet_msdso.rb	x_refsource_MISC
	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-043	vendor-advisory, x_refsource_MS

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T05:04:47.977Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "oval:org.mitre.oval:def:5809",
            "tags": [
              "vdb-entry",
              "signature",
              "x_refsource_OVAL",
              "x_transferred"
            ],
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5809"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://isc.sans.org/diary.html?storyid=6778"
          },
          {
            "name": "TA09-223A",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT",
              "x_transferred"
            ],
            "url": "http://www.us-cert.gov/cas/techalerts/TA09-223A.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.microsoft.com/technet/security/advisory/973472.mspx"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://xeye.us/blog/2009/07/one-0day/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/owc_spreadsheet_msdso.rb"
          },
          {
            "name": "MS09-043",
            "tags": [
              "vendor-advisory",
              "x_refsource_MS",
              "x_transferred"
            ],
            "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-043"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2009-07-12T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Microsoft Office Web Components Spreadsheet ActiveX control (aka OWC10 or OWC11), as distributed in Office XP SP3 and Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 Gold and SP1, and Office Small Business Accounting 2006, when used in Internet Explorer, allows remote attackers to execute arbitrary code via a crafted call to the msDataSourceObject method, as exploited in the wild in July and August 2009, aka \"Office Web Components HTML Script Vulnerability.\""
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-12T19:57:01",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "oval:org.mitre.oval:def:5809",
          "tags": [
            "vdb-entry",
            "signature",
            "x_refsource_OVAL"
          ],
          "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5809"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://isc.sans.org/diary.html?storyid=6778"
        },
        {
          "name": "TA09-223A",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT"
          ],
          "url": "http://www.us-cert.gov/cas/techalerts/TA09-223A.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.microsoft.com/technet/security/advisory/973472.mspx"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://xeye.us/blog/2009/07/one-0day/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/owc_spreadsheet_msdso.rb"
        },
        {
          "name": "MS09-043",
          "tags": [
            "vendor-advisory",
            "x_refsource_MS"
          ],
          "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-043"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@microsoft.com",
          "ID": "CVE-2009-1136",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Microsoft Office Web Components Spreadsheet ActiveX control (aka OWC10 or OWC11), as distributed in Office XP SP3 and Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 Gold and SP1, and Office Small Business Accounting 2006, when used in Internet Explorer, allows remote attackers to execute arbitrary code via a crafted call to the msDataSourceObject method, as exploited in the wild in July and August 2009, aka \"Office Web Components HTML Script Vulnerability.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "oval:org.mitre.oval:def:5809",
              "refsource": "OVAL",
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5809"
            },
            {
              "name": "http://isc.sans.org/diary.html?storyid=6778",
              "refsource": "MISC",
              "url": "http://isc.sans.org/diary.html?storyid=6778"
            },
            {
              "name": "TA09-223A",
              "refsource": "CERT",
              "url": "http://www.us-cert.gov/cas/techalerts/TA09-223A.html"
            },
            {
              "name": "http://www.microsoft.com/technet/security/advisory/973472.mspx",
              "refsource": "CONFIRM",
              "url": "http://www.microsoft.com/technet/security/advisory/973472.mspx"
            },
            {
              "name": "http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx",
              "refsource": "CONFIRM",
              "url": "http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx"
            },
            {
              "name": "http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx",
              "refsource": "CONFIRM",
              "url": "http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx"
            },
            {
              "name": "http://xeye.us/blog/2009/07/one-0day/",
              "refsource": "MISC",
              "url": "http://xeye.us/blog/2009/07/one-0day/"
            },
            {
              "name": "http://trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/owc_spreadsheet_msdso.rb",
              "refsource": "MISC",
              "url": "http://trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/owc_spreadsheet_msdso.rb"
            },
            {
              "name": "MS09-043",
              "refsource": "MS",
              "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-043"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2009-1136",
    "datePublished": "2009-07-15T15:00:00",
    "dateReserved": "2009-03-25T00:00:00",
    "dateUpdated": "2024-08-07T05:04:47.977Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2009-1534 (GCVE-0-2009-1534)

Vulnerability from cvelistv5

Published

2009-08-12 17:00

Modified

2024-08-07 05:13

Severity ?

CWE

Summary

Buffer overflow in the Office Web Components ActiveX Control in Microsoft Office XP SP3, Office 2000 Web Components SP3, Office XP Web Components SP3, BizTalk Server 2002, and Visual Studio .NET 2003 SP1 allows remote attackers to execute arbitrary code via crafted property values, aka "Office Web Components Buffer Overflow Vulnerability."

References

URL

Tags

	http://osvdb.org/56916	vdb-entry, x_refsource_OSVDB
	http://www.us-cert.gov/cas/techalerts/TA09-223A.html	third-party-advisory, x_refsource_CERT
	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6326	vdb-entry, signature, x_refsource_OVAL
	http://www.securityfocus.com/bid/35992	vdb-entry, x_refsource_BID
	http://www.securitytracker.com/id?1022708	vdb-entry, x_refsource_SECTRACK
	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-043	vendor-advisory, x_refsource_MS

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T05:13:25.643Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "56916",
            "tags": [
              "vdb-entry",
              "x_refsource_OSVDB",
              "x_transferred"
            ],
            "url": "http://osvdb.org/56916"
          },
          {
            "name": "TA09-223A",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT",
              "x_transferred"
            ],
            "url": "http://www.us-cert.gov/cas/techalerts/TA09-223A.html"
          },
          {
            "name": "oval:org.mitre.oval:def:6326",
            "tags": [
              "vdb-entry",
              "signature",
              "x_refsource_OVAL",
              "x_transferred"
            ],
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6326"
          },
          {
            "name": "35992",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/35992"
          },
          {
            "name": "1022708",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id?1022708"
          },
          {
            "name": "MS09-043",
            "tags": [
              "vendor-advisory",
              "x_refsource_MS",
              "x_transferred"
            ],
            "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-043"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2009-08-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Buffer overflow in the Office Web Components ActiveX Control in Microsoft Office XP SP3, Office 2000 Web Components SP3, Office XP Web Components SP3, BizTalk Server 2002, and Visual Studio .NET 2003 SP1 allows remote attackers to execute arbitrary code via crafted property values, aka \"Office Web Components Buffer Overflow Vulnerability.\""
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-12T19:57:01",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "56916",
          "tags": [
            "vdb-entry",
            "x_refsource_OSVDB"
          ],
          "url": "http://osvdb.org/56916"
        },
        {
          "name": "TA09-223A",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT"
          ],
          "url": "http://www.us-cert.gov/cas/techalerts/TA09-223A.html"
        },
        {
          "name": "oval:org.mitre.oval:def:6326",
          "tags": [
            "vdb-entry",
            "signature",
            "x_refsource_OVAL"
          ],
          "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6326"
        },
        {
          "name": "35992",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/35992"
        },
        {
          "name": "1022708",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id?1022708"
        },
        {
          "name": "MS09-043",
          "tags": [
            "vendor-advisory",
            "x_refsource_MS"
          ],
          "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-043"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@microsoft.com",
          "ID": "CVE-2009-1534",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Buffer overflow in the Office Web Components ActiveX Control in Microsoft Office XP SP3, Office 2000 Web Components SP3, Office XP Web Components SP3, BizTalk Server 2002, and Visual Studio .NET 2003 SP1 allows remote attackers to execute arbitrary code via crafted property values, aka \"Office Web Components Buffer Overflow Vulnerability.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "56916",
              "refsource": "OSVDB",
              "url": "http://osvdb.org/56916"
            },
            {
              "name": "TA09-223A",
              "refsource": "CERT",
              "url": "http://www.us-cert.gov/cas/techalerts/TA09-223A.html"
            },
            {
              "name": "oval:org.mitre.oval:def:6326",
              "refsource": "OVAL",
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6326"
            },
            {
              "name": "35992",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/35992"
            },
            {
              "name": "1022708",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id?1022708"
            },
            {
              "name": "MS09-043",
              "refsource": "MS",
              "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-043"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2009-1534",
    "datePublished": "2009-08-12T17:00:00",
    "dateReserved": "2009-05-05T00:00:00",
    "dateUpdated": "2024-08-07T05:13:25.643Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CERTA-2009-AVI-331

Vulnerability from certfr_avis

Description

Solution

CVE-2009-0562 (GCVE-0-2009-0562)

Vulnerability from cvelistv5

CVE-2009-2496 (GCVE-0-2009-2496)

Vulnerability from cvelistv5

CVE-2009-1136 (GCVE-0-2009-1136)

Vulnerability from cvelistv5

CVE-2009-1534 (GCVE-0-2009-1534)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature