Security Warning: Vulnerability in
Microsoft Office Web Components Control Being Exploited in The Wild
Since yesterday, IT Professional Services has been
monitoring a vulnerability in Microsoft Office Web Components Control
that is being exploited on the Internet. Yesterday the SANS
Internet Storm Center raised the Infocon threat level status to yellow
for 24 hours to raise awareness of active exploitation of the Office
Web Components ActiveX vulnerability. So far we know of a
couple hundred web sites (mostly in China (.cn)) that are hosting this
exploit, but we expect that is will soon be as far reaching as the web
sites that were compromised with the Microsoft Video Control
vulnerability exploit last week.
ActiveX control are one of the top targets of
malicious web exploit toolkit developers. These web exploit
toolkits now account for nearly all browser-related exploits seen in
vulnerability is being actively exploited on the Internet.
Severity: Medium. The current exploit requires user
interaction to install and runs with the
privileges of the logged-on-user, which could allow complete control
over the computer if the user has local administrator rights.
(A "warning" alert is for a situation that are currently occurring or
conditions are right for the situation to occur soon.)
Internet Explorer 6 or 7 on Windows XP and Windows
Enhanced Security Configuration in Windows Server 2003
effectively mitigates the vulnerability.
This is the second time in a week that an
vulnerability has been exploited. Last Monday, Microsoft
warned of active exploits taking advantage of a Video ActiveX control
to launch drive-by attacks. Unlike the Microsoft Video
Control vulnerability exploit from last week, which required no user
interaction other than visiting a malicious web site, this Microsoft
Office Web Components Control vulnerability requires user interaction
to approve installing a control. Because this user
interaction would be against best security practices, we have not yet
taken proactive action of killing the use of this ActiveX control in
Microsoft released patches for six security
bulletins today and did not
include a fix for the Microsoft Office Web Components Control
vulnerability. They released a security advisory yesterday
that included a suggest work-around of setting the killbit of the two
affected controls (to prevent the controls from being executed in
We will likely install the work-around for the
Microsoft Office Web
Components Control vulnerability for Managed Care customers on our
regular patch cycle along with the other Microsoft updates this weekend
as long as we do not detect any problems with these patches or the
How Do I Protect My Computer
Users of Internet Explorer 7 or 8 who visit a
malicious Web site
attempting to exploit this vulnerability should see a gold bar prompt
asking permission to install the component. If that happens,
just say no.
Microsoft has provided a workaround, a "Fix It"
link that disables the
vulnerable controls. If you are not a Managed Care customer,
you must MANUALLY RUN THIS FIX to install the work-around; it will not
be run by Windows/Microsoft Update automatically.
Microsoft recommends setting the kill bit for two
the kill-bit for one control on one computer can be done with a little
work. Setting several kill-bits on many PCs is much
harder to do.
The Microsoft advisory contains instructions for setting the
kill bit. In an Active Directory domain, it can be done via a
Group Policy Object (GPO).
Use a gateway spyware blocker (such as Untangle)
that can block
malicious ActiveX controls and add the vulnerable ActiveX control's
CLSID in just one place on your network.
Do not log on with an account with
administrative rights for normal use of the computer.
Keep virus protection and
intrusion detection/prevention system definitions up-to-date.
However, other exploits of the underlying vulnerability will
not necessarily be detected by virus protection or intrusion
detection/prevention systems until a sample of the exploit has been
analyzed and definitions developed.
Microsoft Security Advisory (973472): Vulnerability in Microsoft Office Web
Components Control Could Allow Remote Code Execution
KB article: http://support.microsoft.com/kb/973472
(Includes Microsoft Fix it.)
SANS Internet Storm Center:
Internet Security Systems:
SPOHOS Blog: http://www.sophos.com/blogs/gc/g/2009/07/13/
IT Professional Services is planning to install
the patches for the
Microsoft Security Bulletins released today and the work-around for
Microsoft Office Web Components Control vulnerability this
weekend. We are planning to killbit the affected controls via
deploying the Microsoft "Fix It for Me"
installer, a Group
Policy Object (GPO), or in an edge spyware filter (for those with an
ITPS UTM gateway) to protect all systems under
If you need assistance installing protection from
this exploit or a security assessment, IT
can help. Call our
out more about our managed care service.
To find out how vulnerable your network is
schedule a free network security analysis today.
We at IT Professional Services (ITPS)
hope that the information in this bulletin is valuable to you. ITPS
believes the information provided herein is reliable. While care has
been taken to ensure accuracy, your use of the information contained in
this bulletin is at your sole risk. All information in this bulletin is
provided "as-is", without any warranty, whether express or implied, of
its accuracy, completeness, fitness for a particular purpose, title or
non-infringement, and none of the third-party products or information
mentioned in the bulletin are authored, recommended, supported or
guaranteed by ITPS. ITPS shall not be liable for any damages you may
sustain by using this information, whether direct, indirect, special,
incidental or consequential, even if it has been advised of the
possibility of such damages.