We are aware of public attacks on the Internet exploiting a vulnerability in the Office Web Components Spreadsheet ActiveX control (OWC 10 and OWC11). Microsoft has released an advisory with further information available here.

What’s the attacking vector?

This vulnerability could be used for remote code execution in a "browse and get owned" scenario. User interaction is required since a user needs to go to a malicious website that hosts the exploit.

What configurations are at risk?

Neither OWC10 nor OWC11 are installed by default on any Windows version. However, it can be installed along several products:


OWC10 OWC11
Office XP Yes
Office 2003 Yes Yes
Office 2007
Opt
BizTalk
Yes
ISA Server
Yes
Office Accounting and Business Contact Manager
Yes
Manually installed from Microsoft Download Center
Owc10: http://www.microsoft.com/downloads/details.aspx?FamilyID=982B0359-0A86-4FB2-A7EE-5F3A499515DD&displaylang=EN
Owc11: http://www.microsoft.com/downloads/details.aspx?FamilyId=7287252C-402E-4F72-97A5-E0FD290D4B76&displaylang=en
Yes Yes

Yes=Installed by default (Vulnerable)
Opt = Optional install (May be vulnerable)

Please note, there are several scenarios and configurations that mitigate this vulnerability:

  • Outlook and Outlook Express are not affected because both open HTML mails in a zone where ActiveX is restricted. However, if a user follows a link to a malicious website, attackers could exploit this vulnerability.
  • ActiveX controls will not load in the Internet Zone on Windows Server 2003 or Windows Server 2008 if a user uses default settings when browsing, due to the Enhanced Security Configuration (ESC).
  • If OWC is not installed on the computer and the user visits a page hosting the attack then Internet Explorer 7 or 8 will show the gold bar prompt requesting permission to install the ActiveX.

How do I check whether I am at risk?

You can check whether a workstation is vulnerable to this attack by using the Classid.cs tool we published in a previous blog post.

By default, if the control is installed, it can be instantiated and scripted as seen by the tool output below:

C:\>ClassId.exe {0002E541-0000-0000-C000-000000000046} (*)
Clsid: {0002E541-0000-0000-C000-000000000046}
Progid: OWC10.Spreadsheet.10
Binary Path: C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): True --- IE will allow loading
Safe For Scripting (IObjectSafety): True --- IE will allow scripting
Safe For Initialization (Registry): False
Safe For Scripting (Registry): False
KillBitted: False --- It is not killbitted

(*) This example uses the OWC10 classid. Same applies to the OWC11 classid: {0002E559-0000-0000-C000-000000000046}

How could I protect myself?

In order to protect your system you can issue the killbit for the two classids by adding the following value in the registry following these steps:

1) Use Registry Editor to view the data value of the Compatibility Flags DWORD in the following two registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}

2) Change or add the value of the Compatibility Flags DWORD value to 0x00000400.

After applying the killbit you can check it again with the ClassId.cs tool:

C:\>ClassId.exe {0002E541-0000-0000-C000-000000000046} (*)

Clsid: {0002E541-0000-0000-C000-000000000046}
Progid: OWC10.Spreadsheet.10
Binary Path: C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): True
Safe For Scripting (IObjectSafety): True
Safe For Initialization (Registry): False
Safe For Scripting (Registry): False
KillBitted: True --- Since the kilbit has been applied, IE will refuse to load the control

(*) This example uses the OWC10 classid. Same applies to the OWC11 classid: {0002E559-0000-0000-C000-000000000046}

At this point you are no longer vulnerable to this threat through the IE vector.

As mentioned in the advisory, we are also providing a way to apply this workaround automatically. You can click the button below to set the kill-bit on this control.

Click Here To Kill-Bit OWC.Spreadsheet

Please visit Microsoft Knowledge Base Article 973472 for more information about this FixIt option.

- Fermin J. Serna, MSRC Engineering

*Posting is provided "AS IS" with no warranties, and confers no rights.*