OWC Remote Code Execution (Aug 27, 2009)

By

Microsoft Office Web Components (OWC) provide a mechanism for data analysis and visualization. OWC can be divided into two groups — visible components and data controls. The data controls provide methods for connecting to data sources and retrieving data. If the control is instantiated, it attempts to provide data binding to the server controls. If the binding fails, it may release the object.

A memory corruption vulnerability exists in Microsoft Office Web Components controls. Specifically, the vulnerability exists in the initialization and release of the control object. In case that loading and releasing of the vulnerable control is repeated multiple times (through script code), the object attempts to read data from corrupted heap memory; as a result, flow of code execution may be changed. Remote attackers could exploit this vulnerability by enticing a target user to visit a maliciously crafted web page. Successful exploitation would result in code execution with the privileges of the logged in user. This vulnerability has been assigned as CVE-2009-0562.

By default the affected ActiveX controls are not installed on any Windows platform. However they are often installed with the popular MS Office suite and some server applications. This makes for a very large base of affected users.

The ClassIDs of the affected controls are:

0002E543-0000-0000-C000-000000000046
0002E553-0000-0000-C000-000000000046
0002E55B-0000-0000-C000-000000000046

The affected controls can also be instantiated using ProgIDs:

OWC10.DataSourceControl
OWC11.DataSourceControl

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 3144 – MS Office Web Components Remote Code Execution Attempt (MS09-043)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.