We are aware of public attacks on the Internet exploiting a vulnerability in the Office Web Components Spreadsheet ActiveX control (OWC 10 and OWC11). Microsoft has released an advisory with further information available here.
What’s the attacking vector?
This vulnerability could be used for remote code execution in a “browse and get owned” scenario. User interaction is required since a user needs to go to a malicious website that hosts the exploit.
What configurations are at risk?
Neither OWC10 nor OWC11 are installed by default on any Windows version. However, it can be installed along several products:
| OWC10 | OWC11 | |
|---|---|---|
| Office XP | Yes | |
| Office 2003 | Yes | Yes |
| Office 2007 | Opt | |
| BizTalk | Yes | |
| ISA Server | Yes | |
| Office Accounting and Business Contact Manager | Yes | |
| Manually installed from Microsoft Download Center Owc10: http://www.microsoft.com/downloads/details.aspx?FamilyID=982B0359-0A86-4FB2-A7EE-5F3A499515DD&displaylang=EN Owc11: http://www.microsoft.com/downloads/details.aspx?FamilyId=7287252C-402E-4F72-97A5-E0FD290D4B76&displaylang=en | Yes | Yes |
Yes=Installed by default (Vulnerable)
Opt = Optional install (May be vulnerable)
Please note, there are several scenarios and configurations that mitigate this vulnerability:
- Outlook and Outlook Express are not affected because both open HTML mails in a zone where ActiveX is restricted. However, if a user follows a link to a malicious website, attackers could exploit this vulnerability.
- ActiveX controls will not load in the Internet Zone on Windows Server 2003 or Windows Server 2008 if a user uses default settings when browsing, due to the Enhanced Security Configuration (ESC).
- If OWC is not installed on the computer and the user visits a page hosting the attack then Internet Explorer 7 or 8 will show the gold bar prompt requesting permission to install the ActiveX.
How do I check whether I am at risk?
You can check whether a workstation is vulnerable to this attack by using the Classid.cs tool we published in a previous blog post.
By default, if the control is installed, it can be instantiated and scripted as seen by the tool output below:
C:\>ClassId.exe {0002E541-0000-0000-C000-000000000046} (*)<br>Clsid: {0002E541-0000-0000-C000-000000000046}<br>Progid: OWC10.Spreadsheet.10<br>Binary Path: C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL<br>Implements IObjectSafety: True<br>Safe For Initialization (IObjectSafety): True --- IE will allow loading<br>Safe For Scripting (IObjectSafety): True --- IE will allow scripting<br>Safe For Initialization (Registry): False<br>Safe For Scripting (Registry): False<br>KillBitted: False --- It is not killbitted<br>
(*) This example uses the OWC10 classid. Same applies to the OWC11 classid: {0002E559-0000-0000-C000-000000000046}
How could I protect myself?
In order to protect your system you can issue the killbit for the two classids by adding the following value in the registry following these steps:
- Use Registry Editor to view the data value of the Compatibility Flags DWORD in the following two registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}
- Change or add the value of the Compatibility Flags DWORD value to 0x00000400.
After applying the killbit you can check it again with the ClassId.cs tool:
C:\>ClassId.exe {0002E541-0000-0000-C000-000000000046} (*)<br><br>Clsid: {0002E541-0000-0000-C000-000000000046}<br>Progid: OWC10.Spreadsheet.10<br>Binary Path: C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL<br>Implements IObjectSafety: True<br>Safe For Initialization (IObjectSafety): True<br>Safe For Scripting (IObjectSafety): True<br>Safe For Initialization (Registry): False<br>Safe For Scripting (Registry): False<br>KillBitted: True --- Since the kilbit has been applied, IE will refuse to load the control<br>
(*) This example uses the OWC10 classid. Same applies to the OWC11 classid: {0002E559-0000-0000-C000-000000000046}
At this point you are no longer vulnerable to this threat through the IE vector.
As mentioned in the advisory, we are also providing a way to apply this workaround automatically. You can click the button below to set the kill-bit on this control.
Click Here To Kill-Bit OWC.Spreadsheet
Please visit Microsoft Knowledge Base Article 973472 for more information about this FixIt option.
- Fermin J. Serna, MSRC Engineering
*Posting is provided “AS IS” with no warranties, and confers no rights.*