|
Description
|
This indicates a possible attempt to exploit a remote code execution vulnerability in Microsoft Office Web Components.
The "DataSourceControl" object in the Office Web Components Library 9 (MSOWC.DLL), shipped with Office 2000 and Office XP, contains a vulnerability which allows remote attackers to control the path of file creation on the local computer. A user's computer can be compromised when browsing a malicious site that invokes the OWC functionality.
|
|
|
|
Impact
|
System Compromise: remote code execution.
|
|
|
|
Affected Products
|
Microsoft Office Web Components 2000
+ Microsoft Back Office Server 2000
+ Microsoft BizTalk Server 2000 Developer Edition SP2
+ Microsoft BizTalk Server 2000 Developer Edition SP1a
+ Microsoft BizTalk Server 2000 Developer Edition
+ Microsoft BizTalk Server 2000 Enterprise Edition SP2
+ Microsoft BizTalk Server 2000 Enterprise Edition SP1a
+ Microsoft BizTalk Server 2000 Enterprise Edition
+ Microsoft BizTalk Server 2000 Standard Edition SP2
+ Microsoft BizTalk Server 2000 Standard Edition SP1a
+ Microsoft BizTalk Server 2000 Standard Edition
+ Microsoft BizTalk Server 2002 Developer Edition
+ Microsoft BizTalk Server 2002 Enterprise Edition
+ Microsoft Commerce Server 2000 SP2
+ Microsoft Commerce Server 2000 SP1
+ Microsoft Commerce Server 2000
+ Microsoft Commerce Server 2002
+ Microsoft Internet Explorer for Unix SP2
+ Microsoft ISA Server 2000 SP2
+ Microsoft ISA Server 2000 SP1
+ Microsoft ISA Server 2000 FP1
+ Microsoft ISA Server 2000
+ Microsoft ISA Server 2000 Enterprise Edition SP2
+ Microsoft ISA Server 2000 Enterprise Edition SP1
+ Microsoft ISA Server 2000 Enterprise Edition
+ Microsoft Office 2000 SP2
+ Microsoft Office 2000 SP1
+ Microsoft Office 2000
+ Microsoft Office XP SP3
+ Microsoft Office XP SP2
+ Microsoft Office XP SP1
+ Microsoft Office XP
+ Microsoft Small Business Server 2000
+ Microsoft Visual Studio .NET 2002
+ Microsoft Visual Studio .NET 2003 Enterprise Architect
+ Microsoft Visual Studio .NET Enterprise Architect Edition
+ Microsoft Visual Studio .NET Enterprise Developer Edition
|
|
Aliases
|
|
References
|
http://www.microsoft.com/technet/security/Bulletin/MS08-017.mspx
http://www.securityfocus.com/bid/28136
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2007-1201
|
|
Recommended Actions
|
Microsoft has released an advisory and fixes to address this issue. Please see the references for more information.
Microsoft Security Update for Commerce Sever 2000 (KB941305)
http://www.microsoft.com/downloads/details.aspx?FamilyId=71DE76BA-B62C -4A7A-A78A-9317F5255B13
Microsoft Security Update For Microsoft BizTalk Server 2000 (KB939714)
http://www.microsoft.com/downloads/details.aspx?FamilyId=E0993E49C0A81 1D2973D00C04F79E4B3
Microsoft Security Update For Microsoft BizTalk Server 2002 (KB939714)
http://www.microsoft.com/downloads/details.aspx?FamilyId=12B7D09A92AB4 596996670799837D961
Microsoft Security Update For Microsoft Office 2000 Service Pack 3 (KB931660)
http://www.microsoft.com/downloads/details.aspx?FamilyId=806c654a-35e3 -4385-855a-4b803249bfcf
Microsoft Security Update for Microsoft Office Web Components 2000 used in ISA Server 2000 Reporting
http://www.microsoft.com/downloads/details.aspx?FamilyId=526D87BD-C3DA -412E-8765-C15987AE9B01
Microsoft Security Update For Microsoft Office XP Service Pack 3 (KB931660)
http://www.microsoft.com/downloads/details.aspx?FamilyId=806c654a-35e3 -4385-855a-4b803249bfcf
Microsoft Visual Studio .NET 2002 Service Pack 1 MSOWC.DLL Security Update
http://www.microsoft.com/downloads/details.aspx?FamilyId=D71B23FA-A873 -406D-BAD7-E38E565DEE39&displaylang=en
Microsoft Visual Studio .NET 2003 Service Pack 1 MSOWC.DLL Security Update
http://www.microsoft.com/downloads/details.aspx?FamilyId=2FE10CCD-40CB -4090-B83D-EAE3D4ECA174&displaylang=en
|
