Critical Microsoft Office Web Components Vulnerability


Date: July 13, 2009
To:  The U of U Campus Community
From:    Office of Information Technology and the Information Security Office
Subject: Critical Microsoft Office Web Components Vulnerability

 

The SANS Institute has issued a warning about a vulnerability in Microsoft Office web components that could allow remote code execution. According to SANS, this vulnerability exists in the ActiveX control used by IE to display Excel spreadsheets. http://isc.sans.org/

These attacks appear to be opportunistic in nature; anyone who browses to an infected website, while using Microsoft Internet Explorer, will be affected.

Recommendations

  1. Make sure your anti-virus is up to date.
  2. Consider using an alternate browser such as Firefox, Safari or Opera. Only Microsoft Internet Explorer is vulnerable.
  3. Ask your system administrator about the Microsoft work around tool: http://support.microsoft.com/kb/973472 (Do not deploy on critical resources without thorough testing.)

 

Technical Resources:

Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution
http://isc.sans.org/diary.html?storyid=6778

Microsoft Security Advisory (973472)
Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution http://www.microsoft.com/technet/security/advisory/973472.mspx

Microsoft Work Around Tool
http://support.microsoft.com/kb/973472

Microsoft Warns of New Office Web Components Vulnerability http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1361617,00.html#