Office Web Components is prone to an overflow condition. The ActiveX control fails to properly sanitize user-supplied input via the HTMLURL parameter resulting in a buffer overflow. With a specially crafted website, a context-dependent attacker can potentially cause arbitrary code execution.

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

• Security Tracker: 1022708
• CVE ID: 2009-1534 (see also: NVD)
• Bugtraq ID: 35992
• Related OSVDB ID: 56914 56915
• Metasploit ID: 56916
• OVAL ID: 6326
• Microsoft Knowledge Base Article: 957638
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2009-08/0172.html
• Generic Exploit URL: http://d2sec.com/products.htm
  http://www.saintcorporation.com/cgi-bin/exploit_info/ms_office_web_components_spreadsheet_htmlurl
• Other Advisory URL: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=819
• News Article: http://www.eweek.com/c/a/Security/Microsoft-to-Fix-Windows-Office-Bugs-in-Critical-Updates-641093/
• Microsoft Security Bulletin: MS09-043
• CERT: TA09-223A

• Sean Larsson - iDefense Labs