Home   About Us    Services and Products   Support   Contact Us

Support Overview

Help Desk

Online Service Request

Emergency IT Support

Security Alerts

Computer Usage Tips

Security Alerts

Security Warning: Vulnerability in Microsoft Office Web Components Control Being Exploited in The Wild
7/14/2009

Since yesterday, IT Professional Services has been monitoring a vulnerability in Microsoft Office Web Components Control that is being exploited on the Internet.  Yesterday the SANS Internet Storm Center raised the Infocon threat level status to yellow for 24 hours to raise awareness of active exploitation of the Office Web Components ActiveX vulnerability.  So far we know of a couple hundred web sites (mostly in China (.cn)) that are hosting this exploit, but we expect that is will soon be as far reaching as the web sites that were compromised with the Microsoft Video Control vulnerability exploit last week.

ActiveX control are one of the top targets of malicious web exploit toolkit developers.  These web exploit toolkits now account for nearly all browser-related exploits seen in the wild.

Threat Level

Warning:  Unpatched vulnerability is being actively exploited on the Internet.

(A "warning" alert is for a situation that are currently occurring or conditions are right for the situation to occur soon.)

Severity:  Medium.  The current exploit requires user interaction to install and runs with the privileges of the logged-on-user, which could allow complete control over the computer if the user has local administrator rights.

Affected Software

Internet Explorer 6 or 7 on Windows XP and Windows Server 2003.  Enhanced Security Configuration in Windows Server 2003 effectively mitigates the vulnerability.

Analysis

This is the second time in a week that an unpatched ActiveX vulnerability has been exploited.  Last Monday, Microsoft warned of active exploits taking advantage of a Video ActiveX control to launch drive-by attacks.  Unlike the Microsoft Video Control vulnerability exploit from last week, which required no user interaction other than visiting a malicious web site, this Microsoft Office Web Components Control vulnerability requires user interaction to approve installing a control.  Because this user interaction would be against best security practices, we have not yet taken proactive action of killing the use of this ActiveX control in Internet Explorer.

Microsoft released patches for six security bulletins today and did not include a fix for the Microsoft Office Web Components Control vulnerability.  They released a security advisory yesterday that included a suggest work-around of setting the killbit of the two affected controls (to prevent the controls from being executed in Internet Explorer).

We will likely install the work-around for the Microsoft Office Web Components Control vulnerability for Managed Care customers on our regular patch cycle along with the other Microsoft updates this weekend as long as we do not detect any problems with these patches or the work-around.

How Do I Protect My Computer

Users of Internet Explorer 7 or 8 who visit a malicious Web site attempting to exploit this vulnerability should see a gold bar prompt asking permission to install the component.  If that happens, just say no.

Microsoft has provided a workaround, a "Fix It" link that disables the vulnerable controls.  If you are not a Managed Care customer, you must MANUALLY RUN THIS FIX to install the work-around; it will not be run by Windows/Microsoft Update automatically.

Microsoft recommends setting the kill bit for two CLSIDs.  Setting the kill-bit for one control on one computer can be done with a little work.  Setting several kill-bits on many PCs is much harder to do.  The Microsoft advisory contains instructions for setting the kill bit.  In an Active Directory domain, it can be done via a Group Policy Object (GPO).

Use a gateway spyware blocker (such as Untangle) that can block malicious ActiveX controls and add the vulnerable ActiveX control's CLSID in just one place on your network.

Do not log on with an account with administrative rights for normal use of the computer.

Keep virus protection and intrusion detection/prevention system definitions up-to-date.  However, other exploits of the underlying vulnerability will not necessarily be detected by virus protection or intrusion detection/prevention systems until a sample of the exploit has been analyzed and definitions developed.

More Information

Security Advisories

Microsoft Security Advisory (973472): Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution
KB article: http://support.microsoft.com/kb/973472 (Includes Microsoft Fix it.)

SANS Internet Storm Center:
http://isc.sans.org/diary.html?storyid=6778
http://isc.sans.org/diary.html?storyid=6739

Internet Security Systems:
http://www.iss.net/threats/advise128.html

SPOHOS Blog: http://www.sophos.com/blogs/gc/g/2009/07/13/
day-vulnerability-microsoft-owc-discovered/

Microsoft Blogs

SRD blog:
http://blogs.technet.com/srd/archive/2009/07/13/
more-information-about-the-office-web-components-activex-vulnerability.aspx

MSRC blog:
http://blogs.technet.com/msrc/archive/2009/07/13/
microsoft-security-advisory-973472-released.aspx

News

http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtm
l?articleID=218500140&cid=RSSfeed_IWK_News

http://www.scmagazineus.com/Another-ActiveX-zero-day-bug-from-Microsoft/
article/139939/?DCMP=EMC-SCUS_Newswire

Managed Services

IT Professional Services is planning to install the patches for the Microsoft Security Bulletins released today and the work-around for Microsoft Office Web Components Control vulnerability this weekend.  We are planning to killbit the affected controls via the deploying the Microsoft  "Fix It for Me" installer, a Group Policy Object (GPO), or in an edge spyware filter (for those with an ITPS UTM gateway) to protect all systems under managed care.

Professional Services

If you need assistance installing protection from this exploit or a security assessment, IT Professional Services can help. Call our help desk.

Find out more about our managed care service.

To find out how vulnerable your network is schedule a free network security analysis today.

We at IT Professional Services (ITPS) hope that the information in this bulletin is valuable to you. ITPS believes the information provided herein is reliable. While care has been taken to ensure accuracy, your use of the information contained in this bulletin is at your sole risk. All information in this bulletin is provided "as-is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the bulletin are authored, recommended, supported or guaranteed by ITPS. ITPS shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Privacy Policy

© 2009-2013 IT Professional Services All rights are reserved.  (805) 650-6030