Microsoft Office Web Components (OWC) provide a mechanism for data analysis and visualization. OWC can be divided into two groups — visible components and data controls. The data controls provide methods for connecting to data sources and retrieving data. If the control is instantiated, it attempts to provide data binding to the server controls. If the binding fails, it may release the object.

A memory corruption vulnerability exists in Microsoft Office Web Components controls. Specifically, the vulnerability exists in the initialization and release of the control object. In case that loading and releasing of the vulnerable control is repeated multiple times (through script code), the object attempts to read data from corrupted heap memory; as a result, flow of code execution may be changed. Remote attackers could exploit this vulnerability by enticing a target user to visit a maliciously crafted web page. Successful exploitation would result in code execution with the privileges of the logged in user. This vulnerability has been assigned as CVE-2009-0562.

By default the affected ActiveX controls are not installed on any Windows platform. However they are often installed with the popular MS Office suite and some server applications. This makes for a very large base of affected users.

The ClassIDs of the affected controls are:

0002E543-0000-0000-C000-000000000046
0002E553-0000-0000-C000-000000000046
0002E55B-0000-0000-C000-000000000046

The affected controls can also be instantiated using ProgIDs:

OWC10.DataSourceControl
OWC11.DataSourceControl

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

• 3144 – MS Office Web Components Remote Code Execution Attempt (MS09-043)

Firebird is a relational database offering many ANSI SQL standard features that runs on Linux, Windows, and a variety of Unix platforms. It can be run under three different types of architectures: Classic Server, Embedded Server, and Superserver. In typical client/server environments Firebird runs as either Classic Server or Superserver. In Classic Server mode, Firebird creates a separate process for every client connection, each with its own cache. Alternatively running in Superserver mode, Firebird executes as a single process serving all the connections, and using threads to handle requests.

Firebird database server listens on port TCP/3050. All messages transferred through this port are defined as an XDR specification, which defines a common data representation format for remote function calls as bellow:

Offset Type Size Description ------ -------- ---- ----------- 0x0000 xdr_long  4 opcode  0x0004 data	 n depends on the opcode 

The content and length of the data field depends on the opcode. It has been observed that the opcode called op_connect_request(0x00000035) has the following structure:

Offset Type Size Description ------ -------- ---- ----------- 0x0000 xdr_long 4 opcode 0x35 0x0004 xdr_short 2 p_req_type 0x0006 xdr_short 2 p_req_object 0x0008 xdr_long 4 p_req_partner

A denial of service vulnerability exists in Firebird database server when running in Superserver mode. Specifically, the vulnerability is due to an exception handling error when processing op_connect_request(0x35) messages with an overly long data section. An attacker can exploit this issue by sending an op_connect_request message with a large data to cause a denial of service to the Firebird database server. The affected service must be manually restarted.

SonicWALL UTM research team has released an IPS signature that will detect and block generic attack attempts addressing this issue. The IPS signature is listed as bellow:

• 4252 Firebird SQL op_connect_request DoS

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-2620.

Microsoft Windows Workstation service is a new service added in Windows XP, Vista, Server 2003, and thereafter. It is started to notify selected users and administrators of administrative alerts automatically. If this service is disabled, any services that explicitly depend on it will fail to start.

The Workstation Service can be accessed through the DCE-RPC interface. And its numerous methods can be accessed by other processes through the Remote Procedure Call (RPC) interface (UUID: 6bffd098-a112-3610-9833-46c3f87e345a). The interface is accessible through several endpoints and transports such as “wkssvc”. After the interface is successfully bound through a transport, the user is allowed to call the provided RPC methods.

The Workstation Service provides multiple methods through its RPC interface. The methods perform tasks such as user information queries, domain changes and additions among other things. A list of some of the supplied methods is shown below:

• NetrGetJoinInformation
• NetrJoinDomain2
• NetrWkstaGetInfo
• NetrWkstaSetInfo

The NetrGetJoinInformation method, which is listed above, is responsible for retrieving information about the workgroup or domain to which the specified computer is joined. According to MSDN Windows API definition, the syntax of NetrGetJoinInformation method is defined as bellow:

unsigned long NetrGetJoinInformation( [in, string, unique] WKSSVC_IMPERSONATE_HANDLE ServerName, [in, out, string] wchar_t** NameBuffer, [out] PNETSETUP_JOIN_STATUS BufferType );

A double free vulnerability exists in the vulnerable version of Microsoft Windows Workstation service. Specifically, the vulnerability is due to improper handling of the requests for the NetrGetJoinInformation method with a specially crafted NameBuffer value.

Remote authenticated attackers can exploit this vulnerability to inject arbitrary code and execute with the privileges of the affected service, which is SYSTEM by default.

SonicWALL UTM research team has released an IPS signature that will detect and block generic attack attempts addressing this issue. The IPS signature is listed as bellow:

• 4288 MS Windows Workstation Service Memory Corruption Attempt (MS09-041)

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-1544. Microsoft has referred this vulnerability in its security advisory MS09-041.

Microsoft Internet Explorer browser provides web developers with the ability to dynamically modify, and style, a web page via the Document Object Model (DOM) and Cascading Style Sheets (CSS). The Document Object Model is a cross-platform and language-independent convention used for representing and interacting with objects in HTML, XHTML and XML documents. The browser supports both the Javascript and JScript scripting languages. JScript can be used to access and modify a web page’s underlying DOM structure. The appearance of a page is mainly manipulated by the use of CSS. This technology is used to define the aesthetic aspects of a web page such as fonts, colors and spacing.

Styles are defined and stored either inline or within external style sheets. The following example code snippet illustrates the use of an inline style definition:

 p { color: red; } 

In the above example, a single rule is defined for the paragraph HTML element. Internet Explorer is instructed to style all text within the p tag with the color red. JScript is capable of accessing the stylesheets within a web page using the DOM property document.styleSheets. This property is a collection of styleSheet objects, which can contain zero or more CSS rules. The property can be used to delete or modify existing CSS rules. An example of its usage is shown:

 var testStyle = document.styleSheets[3].rules[0].style; 

This above code creates a reference to a CSS rule which contains methods and attributes related to the style object. This reference can then be used to modify the style definition for the associated CSS rule. Internet Explorer exposes an additional styleSheet property, cssText, which can be used to set or retrieve the text representation of the CSS rules. An example of the usage of this property is shown:

 document.styleSheets[1].cssText = "p { color: green; }"; 

A memory corruption vulnerability exists in Microsoft Internet Explorer. It is created by a design error in the way the browser accesses an object that has been deleted. When a cssText property of a styleSheet is assigned a new value, as shown in the last example code snippet, the browser does not properly clean up the previous underlying style object which is replaced by the new assignment. A JScript reference to a style object will remain in memory even after the cssText reassignment.

A remote attacker can exploit this vulnerability by enticing target users to visit a crafted web page that references and attempts to use a style object left in memory after a cssText reassignment. This can potentially cause memory corruption, overwriting critical memory, and allow for the injection and execution of arbitrary code.

Successful exploitation may result in code execution with the privileges of the logged in user. Exploitation of this vulnerability resulting in code execution is not considered to be a trivial task. Upon unsuccessful exploitation, the affected browser may terminate as a result of an invalid memory access.

SonicWall has developed and released an IPS signature that detects and blocks a specific exploit targeting this vulnerability. Generic detection of attack attempts is not feasible as it would require logical analysis of all script contained within a given web site. The IPS signature released to address this vulnerability is:

• 4236 – MS IE Stylesheet Memory Corruption PoC (MS09-034)

The vulnerability has been assigned CVE-2009-1919 by Mitre.org. The vendor has released a security bulletin to address this flaw.