vulnerability bulletin CVE-2009-0562 CVE-2009-1136 CVE-2009-1534
Office Web Components: several vulnerabilities
Synthesis of the vulnerability
An attacker can use several vulnerabilities of Office Web Components ActiveX, in order to execute code on victim's computer.Impacted products:
BizTalk Server, ISA, Office, Access, Excel, Outlook, PowerPoint, Project, Publisher, Visio, Word, Visual Studio.
957638, BID-35642, BID-35990, BID-35991, BID-35992, CERTA-2009-AVI-331, CVE-2009-0562, CVE-2009-1136, CVE-2009-1534, CVE-2009-2496, MS09-043, VIGILANCE-VUL-8943, VU#545228, ZDI-09-054, ZDI-09-055, ZDI-09-056.
Description of the vulnerability
Microsoft Office Web Components are installed with Office, BizTalk, Visual Studio and ISA, and provide ActiveX to publish spreadsheets and charts on a web site.
An attacker can generate an error during memory allocation, after an ActiveX has been loaded and unloaded, leading to code execution. [severity:4/4; BID-35990, CERTA-2009-AVI-331, CVE-2009-0562, ZDI-09-055]
An attacker can generate a heap memory corruption in BorderAround(). [severity:4/4; BID-35991, CVE-2009-2496, ZDI-09-056]
An attacker can use invalid parameters in order to corrupt the memory in msDataSourceObject() (VIGILANCE-VUL-8854). [severity:4/4; BID-35642, CVE-2009-1136, VU#545228, ZDI-09-054]
An attacker can generate a buffer overflow. [severity:4/4; BID-35992, CVE-2009-1534]
An attacker can therefore create an HTML page containing one of these ActiveX in order to execute code on victim's computer.Complete Vigil@nce bulletin....
Share this bulletin
Computer vulnerabilities tracking service
Vigil@nce provides a systems vulnerabilities patch
. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The technology watch team tracks security threats targeting the computer system.