we track for your security since 1999

vulnerabilities

The Vigil@nce team watches vulnerabilities impacting your computers, and then offers solutions, a database and tools to correct them.

recent vulnerabilities

tracked products

RSS feed

vulnerability

vulnerability note CVE-2009-1136

Microsoft Office Web Components: memory corruption

Synthesis of the vulnerability

An attacker can invite the victim to see an HTML page in order to corrupt the memory of a Microsoft Office Web Components ActiveX, leading to code execution.
Impacted products: BizTalk Server, IE, ISA, Office, Access, Excel, Microsoft FrontPage, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word, Visual Studio.
Severity: 4/4.
Creation date: 15/07/2009.
Identifiers: 957638, 973472, BID-35642, CVE-2009-1136, FGA-2009-27, MS09-043, VIGILANCE-VUL-8854, VU#545228.

Description of the vulnerability

Microsoft Office Web Components are installed with Office and ISA, and provide ActiveX to publish spreadsheets and charts on a web site.

The OWC10.Spreadsheet ActiveX displays an Excel spreadsheet. Its Evaluate() and msDataSourceObject() methods do not correctly validate number arrays, which corrupts the memory.

An attacker can therefore invite the victim to see an HTML page in order to corrupt the memory of a Microsoft Office Web Components ActiveX, leading to code execution.
Complete Vigil@nce bulletin.... (free access)

Share this bulletin

Computer vulnerabilities tracking service

Vigil@nce provides computer vulnerability patches. The technology watch team tracks security threats targeting the computer system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.