Watchguard Live Security: Three Vulnerable ActiveX Controls Plague Microsoft Office and Visio

Three Vulnerable ActiveX Controls Plague Microsoft Office and Visio
SEVERITY: HIGH
13 October, 2009
SUMMARY:
 This vulnerability affects: All current versions of Microsoft Office (also affects Visio)
 How an attacker exploits it: By luring your users to a malicious web page
 Impact: An attacker can execute code on your user’s computer, potentially gaining control of it
 What to do: Install the appropriate Microsoft Patch as soon as possible, or let Windows Update download your patches automatically
EXPOSURE:
Today, Microsoft released a security bulletin describing three vulnerable ActiveX controls that ship with most versions of Microsoft Office. The flawed controls also come with Visio.
In previous LiveSecurity alerts [ 1 / 2 ], we’ve described Microsoft’s Active Template Library (ATL), which is a collection of programmatic templates that help developers create ActiveX controls. Many Microsoft products, including Office and Visio, ship with ActiveX controls created with the ATL library. Unfortunately, a previous version of ATL suffered from security vulnerabilities that led to the creation of many vulnerable ActiveX controls. Since then, Microsoft has continued to find legacy ActiveX controls that suffer from these vulnerabilities.
Today’s Office bulletin essentially fixes three more vulnerabilities associated with ATL issues. The three flaws differ technically, but share the same scope and impact. By enticing one of you users to a specially crafted website, an attacker could exploit any of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your users have local administrative privileges, attackers could leverage this type of flaw to gain full control of their computers.
SOLUTION PATH
Microsoft has released patches that correct these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.
 For Office XP
 Microsoft Outlook 2002
 For Office 2003
 Microsoft Office Outlook 2003
 For 2007 Microsoft Office System
 Microsoft Office Outlook 2007
 For Other Microsoft Software
 Microsoft Office Visio Viewer 2007
FOR ALL WATCHGUARD USERS:
Many of these attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.
STATUS:
Microsoft has released patches for these vulnerabilities.

This entry was posted on Sunday, October 18th, 2009 at 9:10 am and is filed under Bardissi Enterprises, Business Computer Support, Microsoft, Watchguard. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply