The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Office, Visual, BizTalk, Commerce, ISA: vulnerabilities

Synthesis of the vulnerability 

Two vulnerabilities of Microsoft Office, Visual Studio .NET, BizTalk Server, Commerce Server and Internet Security and Acceleration Server products can be used to execute code.
Vulnerable software: BizTalk Server, ISA, Office, Access, Excel, Outlook, PowerPoint, Publisher, Word, Visual Studio.
Severity of this announce: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 12/03/2008.
Références of this computer vulnerability: 933103, BID-28135, BID-28136, CERTA-2008-AVI-127, CVE-2006-4695, CVE-2007-1201, MS08-017, VIGILANCE-VUL-7657, VU#654577.

Description of the vulnerability 

Two vulnerabilities impact Microsoft Office Web Components 2000 (provided with Microsoft Office, Visual Studio .NET, BizTalk Server, Commerce Server and Internet Security and Acceleration Server).

An attacker can create a HTML page using a malicious uri in order to execute code in an ActiveX of Microsoft Office Web Components. [severity:3/4; BID-28135, CVE-2006-4695, VU#654577]

An attacker can create a HTML page using malicious data in order to execute code in an ActiveX of Microsoft Office Web Components. [severity:3/4; BID-28136, CVE-2007-1201]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability bulletin impacts software or systems such as BizTalk Server, ISA, Office, Access, Excel, Outlook, PowerPoint, Publisher, Word, Visual Studio.

Our Vigil@nce team determined that the severity of this vulnerability bulletin is important.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 2 vulnerabilities.

An attacker with a expert ability can exploit this threat note.

Solutions for this threat 

Office, Visual, BizTalk, Commerce, ISA: patch.
A patch is available:
Client
  Office 2000 SP3
    http://www.microsoft.com/downloads/details.aspx?FamilyId=806c654a-35e3-4385-855a-4b803249bfcf
  Office XP SP3
    http://www.microsoft.com/downloads/details.aspx?FamilyId=f54d2a5e-c0ed-4f70-9746-38dd61c8e9d7
  Visual Studio .NET 2002 SP1
    http://www.microsoft.com/downloads/details.aspx?FamilyId=D71B23FA-A873-406D-BAD7-E38E565DEE39
  Visual Studio .NET 2003 SP1
    http://www.microsoft.com/downloads/details.aspx?FamilyId=2FE10CCD-40CB-4090-B83D-EAE3D4ECA174
Server
  BizTalk Server 2000
    http://www.microsoft.com/downloads/details.aspx?FamilyId=5FDDD54F-7A33-4EA3-B68D-B96A9BAE509D
  BizTalk Server 2002
    http://www.microsoft.com/downloads/details.aspx?FamilyId=5FDDD54F-7A33-4EA3-B68D-B96A9BAE509D
  Commerce Server 2000
    http://www.microsoft.com/downloads/details.aspx?FamilyId=71DE76BA-B62C-4A7A-A78A-9317F5255B13
  ISA 2000 SP2
    http://www.microsoft.com/downloads/details.aspx?FamilyId=526D87BD-C3DA-412E-8765-C15987AE9B01
Microsoft's announce indicates workarounds.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a cybersecurity watch. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.