MS08-055: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (955047)
2008-09-10T00:00:00
ID SMB_NT_MS08-055.NASL Type nessus Reporter This script is Copyright (C) 2008-2020 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2008-09-10T00:00:00
Description
The version of Microsoft Office running on the remote host is affected
by an argument injection vulnerability. By convincing a user to click
on a specially crafted OneNote URL, a remote attacker can exploit this
to execute arbitrary code or view or change data with current user
rights.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(34123);
script_version("1.30");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/05");
script_cve_id("CVE-2008-3007");
script_bugtraq_id(31067);
script_xref(name:"MSFT", value:"MS08-055");
script_xref(name:"MSKB", value:"950130");
script_xref(name:"MSKB", value:"951944");
script_xref(name:"MSKB", value:"953404");
script_xref(name:"MSKB", value:"953405");
script_xref(name:"IAVB", value:"2008-B-0058-S");
script_name(english:"MS08-055: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (955047)");
script_summary(english:"Determines the version of MSO.dll.");
script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through Microsoft
Office.");
script_set_attribute(attribute:"description", value:
"The version of Microsoft Office running on the remote host is affected
by an argument injection vulnerability. By convincing a user to click
on a specially crafted OneNote URL, a remote attacker can exploit this
to execute arbitrary code or view or change data with current user
rights.");
# https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-055
script_set_attribute(attribute:"see_also", value:"https://www.nessus.org/u?f475d079");
script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Office XP, 2003, 2007 and
OneNote 2007.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2008-3007");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(20);
script_set_attribute(attribute:"vuln_publication_date", value:"2008/09/09");
script_set_attribute(attribute:"patch_publication_date", value:"2008/09/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2008/09/10");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:onenote");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2008-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Windows : Microsoft Bulletins");
script_dependencies("smb_hotfixes.nasl", "office_installed.nasl", "onenote_installed.nbin", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, 'Host/patch_management_checks');
exit(0);
}
include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");
include("install_func.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
bulletin = 'MS08-055';
kbs = make_list("950130", "951944", "953404", "953405");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
vuln = 0;
share = '';
lastshare = '';
accessibleshare = FALSE;
office_versions = hotfix_check_office_version ();
if ( max_index(keys(office_versions)) > 0 )
{
if (office_versions["10.0"] )
{
officesp = get_kb_item("SMB/Office/XP/SP");
if (!isnull(officesp) && officesp == 3)
{
path = hotfix_get_officecommonfilesdir(officever:"10.0") + "\Microsoft Shared\Office10";
dll = path + "\mso.dll";
share = hotfix_path2share(path:path);
lastshare = share;
if (is_accessible_share(share:share))
{
accessibleshare = TRUE;
res = hotfix_get_fversion(path:dll);
if (res['error'] == HCF_OK)
{
ver = res['value'];
if (int(ver[0]) == 10 && int(ver[1]) == 0 && int(ver[2]) < 6845)
{
vuln++;
info =
'\n Product : Microsoft Office 2002' +
'\n Path : ' + path +
'\n Installed version : ' + join(ver, sep:'.') +
'\n Fixed version : 10.0.6845.0\n';
hotfix_add_report(info, bulletin:bulletin, kb:'953405');
}
}
}
}
}
if (office_versions["11.0"] )
{
officesp = get_kb_item("SMB/Office/2003/SP");
if (!isnull(officesp) && (officesp == 2 || officesp == 3))
{
path = hotfix_get_officecommonfilesdir(officever:"11.0") + "\Microsoft Shared\Office11";
dll = path + "\mso.dll";
share = hotfix_path2share(path:path);
if (share != lastshare || !accessibleshare)
{
lastshare = share;
if (is_accessible_share(share:share))
{
accessibleshare = TRUE;
res = hotfix_get_fversion(path:dll);
if (res['error'] == HCF_OK)
{
ver = res['value'];
if (int(ver[0]) == 11 && int(ver[1]) == 0 && int(ver[2]) < 8221)
{
vuln++;
info =
'\n Product : Microsoft Office 2003' +
'\n Path : ' + path +
'\n Installed version : ' + join(ver, sep:'.') +
'\n Fixed version : 11.0.8221.0\n';
hotfix_add_report(info, bulletin:bulletin, kb:'953404');
}
}
}
else accessibleshare = FALSE;
}
}
}
if (office_versions["12.0"] )
{
officesp = get_kb_item("SMB/Office/2007/SP");
if (!isnull(officesp) && (officesp == 0 || officesp == 1))
{
path = hotfix_get_officecommonfilesdir(officever:"12.0") + "\Microsoft Shared\Office12";
dll = path + "\mso.dll";
share = hotfix_path2share(path:path);
if (share != lastshare || !accessibleshare)
{
lastshare = share;
if (is_accessible_share(share:share))
{
accessibleshare = TRUE;
res = hotfix_get_fversion(path:dll);
if (res['error'] == HCF_OK)
{
ver = res['value'];
if (int(ver[0]) == 12 && int(ver[1]) == 0 && int(ver[2]) < 6320)
{
vuln++;
info =
'\n Product : Microsoft Office 2007' +
'\n Path : ' + path +
'\n Installed version : ' + join(ver, sep:'.') +
'\n Fixed version : 12.0.6320.5000\n';
hotfix_add_report(info, bulletin:bulletin, kb:'951944');
}
}
}
else accessibleshare = FALSE;
}
}
}
}
hotfix_check_fversion_end();
onenote_installs = get_installs(app_name:'Microsoft OneNote');
if (onenote_installs[0] == IF_OK)
{
foreach install (onenote_installs[1])
{
onenote_product = install['product'];
onenote_sp = install['sp'];
onenote_path = install['path'];
onenote_version = install['version'];
if (onenote_version == UNKNOWN_VER) continue;
# Check Product
if (onenote_product == '2007')
{
# Check Service Pack
if (onenote_sp == '0' || onenote_sp == '1')
{
v = split(onenote_version, sep:'.', keep:FALSE);
if (
(int(v[0]) == 12 && int(v[1]) == 0 && int(v[2]) < 6316) ||
(int(v[0]) == 12 && int(v[1]) == 0 && int(v[2]) == 6316 && int(v[3]) < 5000)
)
{
vuln++;
info =
'\n Product : Microsoft OneNote 2007' +
'\n Path : ' + onenote_path +
'\n Installed version : ' + onenote_version +
'\n Fixed version : 12.0.6316.5000\n';
hotfix_add_report(info, bulletin:bulletin, kb:'950130');
}
}
}
}
}
if (vuln)
{
set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
hotfix_security_hole();
exit(0);
}
else audit(AUDIT_HOST_NOT, 'affected');
{"id": "SMB_NT_MS08-055.NASL", "bulletinFamily": "scanner", "title": "MS08-055: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (955047)", "description": "The version of Microsoft Office running on the remote host is affected\nby an argument injection vulnerability. By convincing a user to click\non a specially crafted OneNote URL, a remote attacker can exploit this\nto execute arbitrary code or view or change data with current user\nrights.", "published": "2008-09-10T00:00:00", "modified": "2008-09-10T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/34123", "reporter": "This script is Copyright (C) 2008-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://www.nessus.org/u?f475d079"], "cvelist": ["CVE-2008-3007"], "type": "nessus", "lastseen": "2020-08-08T13:25:27", "edition": 21, "viewCount": 12, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-3007"]}, {"type": "openvas", "idList": ["OPENVAS:900046", "OPENVAS:1361412562310900046"]}, {"type": "seebug", "idList": ["SSV:4016"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:20485", "SECURITYVULNS:VULN:9279"]}], "modified": "2020-08-08T13:25:27", "rev": 2}, "score": {"value": 8.5, "vector": "NONE", "modified": "2020-08-08T13:25:27", "rev": 2}, "vulnersScore": 8.5}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(34123);\n script_version(\"1.30\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/05\");\n\n script_cve_id(\"CVE-2008-3007\");\n script_bugtraq_id(31067);\n script_xref(name:\"MSFT\", value:\"MS08-055\");\n script_xref(name:\"MSKB\", value:\"950130\");\n script_xref(name:\"MSKB\", value:\"951944\");\n script_xref(name:\"MSKB\", value:\"953404\");\n script_xref(name:\"MSKB\", value:\"953405\");\n script_xref(name:\"IAVB\", value:\"2008-B-0058-S\");\n\n script_name(english:\"MS08-055: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (955047)\");\n script_summary(english:\"Determines the version of MSO.dll.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through Microsoft\nOffice.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Office running on the remote host is affected\nby an argument injection vulnerability. By convincing a user to click\non a specially crafted OneNote URL, a remote attacker can exploit this\nto execute arbitrary code or view or change data with current user\nrights.\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-055\n script_set_attribute(attribute:\"see_also\", value:\"https://www.nessus.org/u?f475d079\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Office XP, 2003, 2007 and\nOneNote 2007.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2008-3007\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/09/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/09/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/09/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:onenote\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2008-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"office_installed.nasl\", \"onenote_installed.nbin\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS08-055';\nkbs = make_list(\"950130\", \"951944\", \"953404\", \"953405\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nvuln = 0;\n\nshare = '';\nlastshare = '';\naccessibleshare = FALSE;\noffice_versions = hotfix_check_office_version ();\nif ( max_index(keys(office_versions)) > 0 )\n{\n if (office_versions[\"10.0\"] )\n {\n officesp = get_kb_item(\"SMB/Office/XP/SP\");\n if (!isnull(officesp) && officesp == 3)\n {\n path = hotfix_get_officecommonfilesdir(officever:\"10.0\") + \"\\Microsoft Shared\\Office10\";\n dll = path + \"\\mso.dll\";\n share = hotfix_path2share(path:path);\n lastshare = share;\n if (is_accessible_share(share:share))\n {\n accessibleshare = TRUE;\n res = hotfix_get_fversion(path:dll);\n if (res['error'] == HCF_OK)\n {\n ver = res['value'];\n if (int(ver[0]) == 10 && int(ver[1]) == 0 && int(ver[2]) < 6845)\n {\n vuln++;\n info =\n '\\n Product : Microsoft Office 2002' +\n '\\n Path : ' + path +\n '\\n Installed version : ' + join(ver, sep:'.') +\n '\\n Fixed version : 10.0.6845.0\\n';\n hotfix_add_report(info, bulletin:bulletin, kb:'953405');\n }\n }\n }\n }\n }\n if (office_versions[\"11.0\"] )\n {\n officesp = get_kb_item(\"SMB/Office/2003/SP\");\n if (!isnull(officesp) && (officesp == 2 || officesp == 3))\n {\n path = hotfix_get_officecommonfilesdir(officever:\"11.0\") + \"\\Microsoft Shared\\Office11\";\n dll = path + \"\\mso.dll\";\n share = hotfix_path2share(path:path);\n if (share != lastshare || !accessibleshare)\n {\n lastshare = share;\n if (is_accessible_share(share:share))\n {\n accessibleshare = TRUE;\n res = hotfix_get_fversion(path:dll);\n if (res['error'] == HCF_OK)\n {\n ver = res['value'];\n if (int(ver[0]) == 11 && int(ver[1]) == 0 && int(ver[2]) < 8221)\n {\n vuln++;\n info =\n '\\n Product : Microsoft Office 2003' +\n '\\n Path : ' + path +\n '\\n Installed version : ' + join(ver, sep:'.') +\n '\\n Fixed version : 11.0.8221.0\\n';\n hotfix_add_report(info, bulletin:bulletin, kb:'953404');\n }\n }\n }\n else accessibleshare = FALSE;\n }\n }\n }\n if (office_versions[\"12.0\"] )\n {\n officesp = get_kb_item(\"SMB/Office/2007/SP\");\n if (!isnull(officesp) && (officesp == 0 || officesp == 1))\n {\n path = hotfix_get_officecommonfilesdir(officever:\"12.0\") + \"\\Microsoft Shared\\Office12\";\n dll = path + \"\\mso.dll\";\n share = hotfix_path2share(path:path);\n if (share != lastshare || !accessibleshare)\n {\n lastshare = share;\n if (is_accessible_share(share:share))\n {\n accessibleshare = TRUE;\n res = hotfix_get_fversion(path:dll);\n if (res['error'] == HCF_OK)\n {\n ver = res['value'];\n if (int(ver[0]) == 12 && int(ver[1]) == 0 && int(ver[2]) < 6320)\n {\n vuln++;\n info =\n '\\n Product : Microsoft Office 2007' +\n '\\n Path : ' + path +\n '\\n Installed version : ' + join(ver, sep:'.') +\n '\\n Fixed version : 12.0.6320.5000\\n';\n hotfix_add_report(info, bulletin:bulletin, kb:'951944');\n }\n }\n }\n else accessibleshare = FALSE;\n }\n }\n }\n}\nhotfix_check_fversion_end();\n\nonenote_installs = get_installs(app_name:'Microsoft OneNote');\nif (onenote_installs[0] == IF_OK)\n{\n foreach install (onenote_installs[1])\n {\n onenote_product = install['product'];\n onenote_sp = install['sp'];\n onenote_path = install['path'];\n onenote_version = install['version'];\n if (onenote_version == UNKNOWN_VER) continue;\n\n # Check Product\n if (onenote_product == '2007')\n {\n # Check Service Pack\n if (onenote_sp == '0' || onenote_sp == '1')\n {\n v = split(onenote_version, sep:'.', keep:FALSE);\n if (\n (int(v[0]) == 12 && int(v[1]) == 0 && int(v[2]) < 6316) ||\n (int(v[0]) == 12 && int(v[1]) == 0 && int(v[2]) == 6316 && int(v[3]) < 5000)\n )\n {\n vuln++;\n info =\n '\\n Product : Microsoft OneNote 2007' +\n '\\n Path : ' + onenote_path +\n '\\n Installed version : ' + onenote_version +\n '\\n Fixed version : 12.0.6316.5000\\n';\n hotfix_add_report(info, bulletin:bulletin, kb:'950130');\n }\n }\n }\n }\n}\n\nif (vuln)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, 'affected');\n", "naslFamily": "Windows : Microsoft Bulletins", "pluginID": "34123", "cpe": ["cpe:/a:microsoft:onenote", "cpe:/a:microsoft:office"], "scheme": null, "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T05:35:14", "description": "Argument injection vulnerability in a URI handler in Microsoft Office XP SP3, 2003 SP2 and SP3, 2007 Office System Gold and SP1, and Office OneNote 2007 Gold and SP1 allow remote attackers to execute arbitrary code via a crafted onenote:// URL, aka \"Uniform Resource Locator Validation Error Vulnerability.\"", "edition": 4, "cvss3": {}, "published": "2008-09-11T01:11:00", "title": "CVE-2008-3007", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-3007"], "modified": "2018-10-12T21:47:00", "cpe": ["cpe:/a:microsoft:office:2003", "cpe:/a:microsoft:office:2007", "cpe:/a:microsoft:office_onenote:2007", "cpe:/a:microsoft:office:xp"], "id": "CVE-2008-3007", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3007", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:office:2007:*:gold:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2003:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:xp:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office_onenote:2007:gold:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office_onenote:2007:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2003:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2007:sp1:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-02T21:10:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-3007"], "description": "This host is missing critical security update according to\n Microsoft Bulletin MS08-055.", "modified": "2017-04-05T00:00:00", "published": "2008-09-10T00:00:00", "id": "OPENVAS:900046", "href": "http://plugins.openvas.org/nasl.php?oid=900046", "type": "openvas", "title": "Microsoft Office Remote Code Execution Vulnerabilities (955047)", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms08-055_900046.nasl 5863 2017-04-05 07:38:11Z antu123 $\n# Description: Microsoft Office Remote Code Execution Vulnerabilities (955047)\n#\n# Authors:\n# Chandan S <schandan@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2008 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n##############################################################################\n\ntag_impact = \"Remote attackers could be able to execute arbitrary code\n via a specially crafted OneNote URI referencing a specially crafted\n One Note file.\n Impact Level : Application\";\n\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link.\n http://www.microsoft.com/technet/security/bulletin/ms08-055.mspx\";\n\ntag_affected = \"Microsoft Office XP/2003/2007 on Windows (All).\";\n\ntag_insight = \"The issue is due to an error in the parsing of a URI using\n the onenote:// protocol handler.\";\n\n\ntag_summary = \"This host is missing critical security update according to\n Microsoft Bulletin MS08-055.\";\n\n\nif(description)\n{\n script_id(900046);\n script_version(\"$Revision: 5863 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-05 09:38:11 +0200 (Wed, 05 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-10 17:51:23 +0200 (Wed, 10 Sep 2008)\");\n script_bugtraq_id(31067);\n script_cve_id(\"CVE-2008-3007\");\n script_copyright(\"Copyright (C) 2008 SecPod\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Windows : Microsoft Bulletins\");\n script_name(\"Microsoft Office Remote Code Execution Vulnerabilities (955047)\");\n script_dependencies(\"secpod_reg_enum.nasl\", \"secpod_ms_office_detection_900025.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/bulletin/ms08-055.mspx\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\n include(\"smb_nt.inc\");\n include(\"secpod_reg.inc\");\n include(\"secpod_smb_func.inc\");\n include(\"version_func.inc\");\n\n if(hotfix_check_sp(xp:4, win2k:5, win2003:3) <= 0){\n exit(0);\n }\n\n\nprgmDir = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"ProgramFilesDir\");\nif(!prgmDir){\n exit(0);\n}\n\noffVer = get_kb_item(\"MS/Office/Ver\");\nif(!offVer){\n exit(0);\n}\n\n if(offVer =~ \"^10\\.\")\n {\n\tdllPath = prgmDir + \"\\Common Files\\Microsoft Shared\\Office10\\MSO.DLL\";\n\n\tvers = get_version(dllPath);\n if(vers == NULL){\n exit(0);\n }\n\n\t# Grep for version < 10.0.6845\n\tif(egrep(pattern:\"^10\\.0\\.([0-5]?[0-9]?[0-9]?[0-9]|6([0-7][0-9][0-9]\" +\n\t\t\t \"|8([0-3][0-9]|4[0-4])))$\", string:vers)){\n security_message(0);\n\t}\n \texit(0);\n }\n\n if(offVer =~ \"^11\\.\")\n {\n dllPath = prgmDir + \"\\Common Files\\Microsoft Shared\\Office11\\MSO.DLL\";\n\n vers = get_version(dllPath);\n if(vers == NULL){\n exit(0);\n }\n\n\t# Grep for version < 11.0.8221\n\tif(egrep(pattern:\"^11\\.0\\.([0-7]?[0-9]?[0-9]?[0-9]|8([01][0-9][0-9]\" +\n\t\t\t \"|2[01][0-9]|220))$\", string:vers)){\n\t\tsecurity_message(0);\n\t}\n exit(0);\n }\n\n if(offVer =~ \"^12\\.\")\n {\n dllPath = prgmDir + \"\\Common Files\\Microsoft Shared\\Office12\\MSO.DLL\";\n\n vers = get_version(dllPath);\n if(vers == NULL){\n exit(0);\n }\n\n\t# Grep for version < 12.0.6320.5000\n\tif(egrep(pattern:\"^12\\.0\\.([0-5].*|62.*|63[01][0-9].*|6320\\.[0-4]?\" +\n\t\t\t \"[0-9]?[0-9]?[0-9])$\", string:vers)){\n\t\tsecurity_message(0);\n\t}\n }\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-06-11T17:54:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-3007"], "description": "This host is missing critical security update according to\n Microsoft Bulletin MS08-055.", "modified": "2020-06-09T00:00:00", "published": "2008-09-10T00:00:00", "id": "OPENVAS:1361412562310900046", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900046", "type": "openvas", "title": "Microsoft Office Remote Code Execution Vulnerabilities (955047)", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office Remote Code Execution Vulnerabilities (955047)\n#\n# Authors:\n# Chandan S <schandan@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2008 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n##############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900046\");\n script_version(\"2020-06-09T11:16:08+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 11:16:08 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2008-09-10 17:51:23 +0200 (Wed, 10 Sep 2008)\");\n script_bugtraq_id(31067);\n script_cve_id(\"CVE-2008-3007\");\n script_copyright(\"Copyright (C) 2008 SecPod\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Windows : Microsoft Bulletins\");\n script_name(\"Microsoft Office Remote Code Execution Vulnerabilities (955047)\");\n script_dependencies(\"secpod_ms_office_detection_900025.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/Office/Ver\");\n\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-055\");\n\n script_tag(name:\"summary\", value:\"This host is missing critical security update according to\n Microsoft Bulletin MS08-055.\");\n\n script_tag(name:\"insight\", value:\"The issue is due to an error in the parsing of a URI using\n the onenote:// protocol handler.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office XP/2003/2007.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"impact\", value:\"Remote attackers could be able to execute arbitrary code\n via a specially crafted OneNote URI referencing a specially crafted One Note file.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"secpod_smb_func.inc\");\ninclude(\"version_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2k:5, win2003:3) <= 0){\n exit(0);\n}\n\nprgmDir = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\", item:\"ProgramFilesDir\");\nif(!prgmDir){\n exit(0);\n}\n\noffVer = get_kb_item(\"MS/Office/Ver\");\nif(!offVer){\n exit(0);\n}\n\nif(offVer =~ \"^10\\.\") {\n\n dllPath = prgmDir + \"\\Common Files\\Microsoft Shared\\Office10\\MSO.DLL\";\n\n vers = get_version(dllPath:dllPath);\n if(!vers){\n exit(0);\n }\n\n # version < 10.0.6845\n if(egrep(pattern:\"^10\\.0\\.([0-5]?[0-9]?[0-9]?[0-9]|6([0-7][0-9][0-9]|8([0-3][0-9]|4[0-4])))$\", string:vers)){\n report = report_fixed_ver(installed_version:vers, fixed_version:\"10.0.6845\", file_checked:dllPath);\n security_message(port:0, data:report);\n exit(0);\n }\n exit(99);\n}\n\nif(offVer =~ \"^11\\.\") {\n\n dllPath = prgmDir + \"\\Common Files\\Microsoft Shared\\Office11\\MSO.DLL\";\n\n vers = get_version(dllPath:dllPath);\n if(!vers){\n exit(0);\n }\n\n # version < 11.0.8221\n if(egrep(pattern:\"^11\\.0\\.([0-7]?[0-9]?[0-9]?[0-9]|8([01][0-9][0-9]|2[01][0-9]|220))$\", string:vers)){\n report = report_fixed_ver(installed_version:vers, fixed_version:\"11.0.8221\", file_checked:dllPath);\n security_message(port:0, data:report);\n exit(0);\n }\n exit(99);\n}\n\nif(offVer =~ \"^12\\.\") {\n\n dllPath = prgmDir + \"\\Common Files\\Microsoft Shared\\Office12\\MSO.DLL\";\n\n vers = get_version(dllPath:dllPath);\n if(!vers){\n exit(0);\n }\n\n # version < 12.0.6320.5000\n if(egrep(pattern:\"^12\\.0\\.([0-5].*|62.*|63[01][0-9].*|6320\\.[0-4]?[0-9]?[0-9]?[0-9])$\", string:vers)){\n report = report_fixed_ver(installed_version:vers, fixed_version:\"12.0.6320.5000\", file_checked:dllPath);\n security_message(port:0, data:report);\n exit(0);\n }\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T21:19:55", "description": "BUGTRAQ ID: 31067\r\nCVE ID\uff1aCVE-2008-3007\r\nCNCVE ID\uff1aCNCVE-20083007\r\n\r\nMicrosoft Office OneNote\u662f\u4e00\u6b3eMicrosoft Office \u7cfb\u7edf\u7684\u4e00\u4e2a\u96c6\u6210\u90e8\u5206\uff0c\u7528\u4e8e\u5e2e\u52a9\u7ba1\u7406\u4fe1\u606f\u8fc7\u8f7d\uff0c\u66f4\u52a0\u8f7b\u677e\u5730\u5171\u4eab\u4fe1\u606f\uff0c\u5e76\u4e14\u66f4\u52a0\u9ad8\u6548\u5730\u4e0e\u4ed6\u4eba\u534f\u4f5c\u7684\u7a0b\u5e8f\u3002\r\nMicrosoft Office\u5904\u7406\u4f7f\u7528OneNote\u534f\u8bae\u5904\u7406\u5668(onenote://)\u7684URL\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u4ee5\u5e94\u7528\u7a0b\u5e8f\u6743\u9650\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\r\n\u6784\u5efa\u7279\u6b8a\u7684onenote:// URL\u53ef\u89e6\u53d1\u6b64\u6f0f\u6d1e\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\r\n \n\nMicrosoft OneNote 2007 SP1\r\nMicrosoft OneNote 2007 0\r\nMicrosoft Office XP SP3\r\n+ Microsoft Excel 2002 SP3\r\n+ Microsoft FrontPage 2002 SP3\r\n+ Microsoft Outlook 2002 SP3\r\n+ Microsoft PowerPoint 2002 SP3\r\n+ Microsoft Publisher 2002 SP3\r\nMicrosoft Office XP SP2\r\n- Microsoft Windows 2000 Professional SP3\r\n- Microsoft Windows 2000 Professional SP2\r\n- Microsoft Windows 2000 Professional SP1\r\n- Microsoft Windows 2000 Professional \r\n- Microsoft Windows 98 \r\n- Microsoft Windows 98SE \r\n- Microsoft Windows ME \r\n- Microsoft Windows NT Workstation 4.0 SP6a\r\n- Microsoft Windows NT Workstation 4.0 SP6\r\n- Microsoft Windows NT Workstation 4.0 SP5\r\n- Microsoft Windows NT Workstation 4.0 SP4\r\n- Microsoft Windows NT Workstation 4.0 SP3\r\n- Microsoft Windows NT Workstation 4.0 SP2\r\n- Microsoft Windows NT Workstation 4.0 SP1\r\n- Microsoft Windows NT Workstation 4.0\r\n- Microsoft Windows XP Home SP1\r\n- Microsoft Windows XP Home \r\n- Microsoft Windows XP Professional SP1\r\n- Microsoft Windows XP Professional \r\nMicrosoft Office XP SP1\r\n- Microsoft Windows 2000 Professional SP2\r\n- Microsoft Windows 2000 Professional SP1\r\n- Microsoft Windows 2000 Professional \r\n- Microsoft Windows 98 \r\n- Microsoft Windows ME \r\n- Microsoft Windows NT Workstation 4.0 SP6a\r\n- Microsoft Windows NT Workstation 4.0 SP6\r\n- Microsoft Windows NT Workstation 4.0 SP5\r\n- Microsoft Windows NT Workstation 4.0 SP4\r\n- Microsoft Windows NT Workstation 4.0 SP3\r\n- Microsoft Windows NT Workstation 4.0 SP2\r\n- Microsoft Windows NT Workstation 4.0 SP1\r\n- Microsoft Windows NT Workstation 4.0\r\n- Microsoft Windows XP Home \r\n- Microsoft Windows XP Professional \r\nMicrosoft Office XP \r\n- Microsoft Windows 2000 Professional SP2\r\n- Microsoft Windows 2000 Professional SP1\r\n- Microsoft Windows 2000 Professional \r\n- Microsoft Windows 98 \r\n- Microsoft Windows ME \r\n- Microsoft Windows NT Workstation 4.0 SP6a\r\n- Microsoft Windows NT Workstation 4.0 SP6\r\n- Microsoft Windows NT Workstation 4.0 SP5\r\n- Microsoft Windows NT Workstation 4.0 SP4\r\n- Microsoft Windows NT Workstation 4.0 SP3\r\n- Microsoft Windows NT Workstation 4.0 SP2\r\n- Microsoft Windows NT Workstation 4.0 SP1\r\n- Microsoft Windows NT Workstation 4.0\r\n- Microsoft Windows XP Home \r\n- Microsoft Windows XP Professional \r\nMicrosoft Office 2007 SP1\r\nMicrosoft Office 2007 0\r\n+ Microsoft Access 2007 0\r\n+ Microsoft Excel 2003 \r\n+ Microsoft Excel 2007 0\r\n+ Microsoft FrontPage 2003 \r\n+ Microsoft Groove 2007 0\r\n+ Microsoft InfoPath 2003 \r\n+ Microsoft InfoPath 2007 0\r\n+ Microsoft Office Communicator 2007 0\r\n+ Microsoft OneNote 2003 0\r\n+ Microsoft Outlook 2003 0\r\n+ Microsoft Outlook 2007 0\r\n+ Microsoft PowerPoint 2003 0\r\n+ Microsoft PowerPoint 2007 0\r\n+ Microsoft Project Professional 2007 0\r\n+ Microsoft Project Standard 2007 0\r\n+ Microsoft Publisher 2003 \r\n+ Microsoft Publisher 2007 0\r\n+ Microsoft SharePoint Designer 2007 0\r\n+ Microsoft Visio Professional 2007 0\r\n+ Microsoft Visio Standard 2007 0\r\nMicrosoft Office 2003 SP3\r\nMicrosoft Office 2003 SP2\r\nMicrosoft Office 2003 SP1\r\nMicrosoft Office 2003 0\r\n+ Microsoft Excel 2003 \r\n+ Microsoft FrontPage 2003 \r\n+ Microsoft InfoPath 2003 \r\n+ Microsoft OneNote 2003 0\r\n+ Microsoft Outlook 2003 0\r\n+ Microsoft PowerPoint 2003 0\r\n+ Microsoft Publisher 2003\r\n\n \u53ef\u53c2\u8003\u5982\u4e0b\u8865\u4e01\uff1a\r\nMicrosoft Office XP SP3\r\nMicrosoft Security Update for Microsoft Office XP (KB953405)\r\n<a href=http://www.microsoft.com/downloads/details.aspx?familyid=ef3de64c-fc17 target=_blank>http://www.microsoft.com/downloads/details.aspx?familyid=ef3de64c-fc17</a> -4500-9da4-a3bba97fda6d\r\nMicrosoft OneNote 2007 0\r\nMicrosoft Security Update for Microsoft Office OneNote 2007 (KB955047)\r\n<a href=http://www.microsoft.com/downloads/details.aspx?familyid=8ac3576c-7873 target=_blank>http://www.microsoft.com/downloads/details.aspx?familyid=8ac3576c-7873</a> -4ac6-8bbc-033f6a7bb395\r\nMicrosoft Office 2003 SP2\r\nMicrosoft Security Update for Microsoft Office 2003 (KB953404)\r\n<a href=http://www.microsoft.com/downloads/details.aspx?familyid=e670ad22-d3c1 target=_blank>http://www.microsoft.com/downloads/details.aspx?familyid=e670ad22-d3c1</a> -41f7-ba30-6a67139feaa3\r\nMicrosoft Office 2007 0\r\nMicrosoft Security Update for Microsoft Office 2007 (KB955047)\r\n2007 Microsoft Office System Service Pack 1\r\n<a href=http://www.microsoft.com/downloads/details.aspx?familyid=fb457536-26c5 target=_blank>http://www.microsoft.com/downloads/details.aspx?familyid=fb457536-26c5</a> -428b-97e4-1fc13718266e\r\nMicrosoft Office XP SP1\r\nMicrosoft Security Update for Microsoft Office XP (KB953405)\r\n<a href=http://www.microsoft.com/downloads/details.aspx?familyid=ef3de64c-fc17 target=_blank>http://www.microsoft.com/downloads/details.aspx?familyid=ef3de64c-fc17</a> -4500-9da4-a3bba97fda6d\r\nMicrosoft Office XP SP2\r\nMicrosoft Security Update for Microsoft Office XP (KB953405)\r\n<a href=http://www.microsoft.com/downloads/details.aspx?familyid=ef3de64c-fc17 target=_blank>http://www.microsoft.com/downloads/details.aspx?familyid=ef3de64c-fc17</a> -4500-9da4-a3bba97fda6d\r\nMicrosoft Office XP \r\nMicrosoft Security Update for Microsoft Office XP (KB953405)\r\n<a href=http://www.microsoft.com/downloads/details.aspx?familyid=ef3de64c-fc17 target=_blank>http://www.microsoft.com/downloads/details.aspx?familyid=ef3de64c-fc17</a> -4500-9da4-a3bba97fda6d\r\nMicrosoft Office 2007 SP1\r\nMicrosoft Security Update for Microsoft Office 2007 (KB955047)\r\n2007 Microsoft Office System Service Pack 1\r\n<a href=http://www.microsoft.com/downloads/details.aspx?familyid=fb457536-26c5 target=_blank>http://www.microsoft.com/downloads/details.aspx?familyid=fb457536-26c5</a> -428b-97e4-1fc13718266e\r\nMicrosoft OneNote 2007 SP1\r\nMicrosoft Security Update for Microsoft Office OneNote 2007 (KB955047)\r\n<a href=http://www.microsoft.com/downloads/details.aspx?familyid=8ac3576c-7873 target=_blank>http://www.microsoft.com/downloads/details.aspx?familyid=8ac3576c-7873</a> -4ac6-8bbc-033f6a7bb395\r\nMicrosoft Office 2003 SP3\r\nMicrosoft Security Update for Microsoft Office 2003 (KB953404)\r\n<a href=http://www.microsoft.com/downloads/details.aspx?familyid=e670ad22-d3c1 target=_blank>http://www.microsoft.com/downloads/details.aspx?familyid=e670ad22-d3c1</a> -41f7-ba30-6a67139feaa3", "published": "2008-09-11T00:00:00", "title": "Microsoft Office OneNote URL\u5904\u7406\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08MS08-055\uff09", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-3007"], "modified": "2008-09-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-4016", "id": "SSV:4016", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "securityvulns": [{"lastseen": "2018-08-31T11:09:30", "bulletinFamily": "software", "cvelist": ["CVE-2008-3007"], "description": "Code execution on OneNote: URI.", "edition": 1, "modified": "2008-09-10T00:00:00", "published": "2008-09-10T00:00:00", "id": "SECURITYVULNS:VULN:9279", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:9279", "title": "Microsoft Office code execution", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:27", "bulletinFamily": "software", "cvelist": ["CVE-2008-3007"], "description": "Microsoft Security Bulletin MS08-055 \u2013 Critical\r\nVulnerability in Microsoft Office Could Allow Remote Code Execution (955047)\r\nPublished: September 9, 2008\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user clicks a specially crafted OneNote URL. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nThis security update is rated Critical for supported editions of Microsoft Office OneNote 2007 and rated Important for supported editions of Microsoft Office XP, Microsoft Office 2003, and 2007 Microsoft Office System. For more information, see the subsection, Affected and Non-Affected Software, in this section.\r\n\r\nThis security update addresses the vulnerability by modifying the way that Microsoft Office validates uniform resource locators. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nRecommendation. Microsoft recommends that customers apply the update immediately.\r\n\r\nKnown Issues. None\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software\r\nOffice Suite and Other Software\tMaximum Security Impact\tAggregate Severity Rating\tBulletins Replaced by this Update\r\nMicrosoft Office Suites and Components\t \t \t \r\n\r\nMicrosoft Office XP Service Pack 3\r\n(KB953405)\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS08-016\r\n\r\nMicrosoft Office 2003 Service Pack 2\r\n(KB953404)\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS08-016\r\n\r\nMicrosoft Office 2003 Service Pack 3\r\n(KB953404)\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\n2007 Microsoft Office System\r\n(KB951944)\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS07-025\r\n\r\n2007 Microsoft Office System Service Pack 1\r\n(KB951944)\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\nOther Office Software\t \t \t \r\n\r\nMicrosoft Office OneNote 2007\r\n(KB950130)\r\n\r\nMicrosoft Office OneNote 2007 Service Pack 1\r\n(KB950130)\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nNon-Affected Software \r\nOffice and Other Software\r\n\r\nMicrosoft Office 2000 Service Pack 3\r\n\r\nMicrosoft Office OneNote 2003 Service Pack 2\r\n\r\nMicrosoft Office OneNote 2003 Service Pack 3\r\n\r\nMicrosoft Office 2004 for Mac\r\n\r\nMicrosoft Office 2008 for Mac\r\n\r\nMicrosoft Visual Studio 2008\r\n\r\nMicrosoft Visual Studio 2008 Service Pack 1\r\n\r\nMicrosoft Expression Web\r\n\r\nMicrosoft Expression Web 2\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nWhere are the file information details? \r\nThe file information details can be found in Microsoft Knowledge Base Article 955047.\r\n\r\nMS08-052 also describes vulnerabilities in Microsoft Office XP Service Pack 3? How does MS08-052 relate to this bulletin (MS08-055)?\r\nAs part of the cumulative servicing model for Microsoft Office XP, this security update for Microsoft Office XP Service Pack 3 (KB953405) also addresses the vulnerabilities described in MS08-052. Users with Microsoft Office XP Service Pack 3 installed will have to install this security update but will only need to install it once.\r\n\r\nI have Visual Studio 2008, Expression Web, or Expression Web 2 installed, why am I being offered this update?\r\nVisual Studio 2008, Expression Web, and Expression Web 2 are not affected by this vulnerability, and you do not need to install the update. Visual Studio 2008, Expression Web, and Expression Web 2 contain the vulnerable shared office components, but do not access the vulnerable code. However, because the vulnerable code is present, this update will be offered.\r\n\r\nWhy is Microsoft Office listed as affected software for this update?\r\nMicrosoft Office XP, Microsoft Office 2003, and 2007 Microsoft Office System include a set of shared components used for shared Office functionality. This security update addresses the vulnerability by updating shared Office components.\r\n\r\nWhy is this update rated Critical severity for OneNote 2007 and OneNote 2007 Service Pack 1, but rated Important for other affected software?\r\nAlthough this security update addresses the vulnerability by updating files used in shared Office functionality, for the vulnerability to be exploited, OneNote 2007 must be installed and the user would still have to click a specially crafted OneNote URL.\r\n\r\nI use Microsoft Office 2003 Service Pack 2. Are any additional security features included in this update?\r\nYes, as part of the servicing model for Microsoft Office 2003, when users of Microsoft Office 2003 Service Pack 2 install this update, their systems will be upgraded to security functionality that was initially released with Microsoft Office 2003 Service Pack 3. All updates released after January 1, 2008 for Microsoft Office 2003 Service Pack 2 will include these security features, which were introduced in Microsoft Office 2003 Service Pack 3. We have thoroughly tested this update, but as with all updates, we recommend that users perform testing appropriate to the environment and configuration of their systems. For more information on this issue, please see Microsoft Knowledge Base Article 951646.\r\n\r\nI am using an older release of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.\r\n\r\nIt should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit Microsoft Support Lifecycle. For more information about the extended security update support period for these software versions or editions, visit Microsoft Product Support Services.\r\n\r\nCustomers who require custom support for older releases must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit Microsoft Worldwide Information, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\nVulnerability Severity Rating and Maximum Security Impact by Affected Software\r\nAffected Software\tUniform Resource Locator Validation Error Vulnerability - CVE-2008-3007 \tAggregate Severity Rating\r\nMicrosoft Office Suites and Components\t \t \r\n\r\nMicrosoft Office XP Service Pack 3\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\r\nMicrosoft Office 2003 Service Pack 2 and Microsoft Office 2003 Service Pack 3\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\r\n2007 Microsoft Office System\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\r\n2007 Microsoft Office System Service Pack 1\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\nOther Office Software\t \t \r\n\r\nMicrosoft Office OneNote 2007 and Microsoft Office OneNote 2007 Service Pack 1\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\nTop of sectionTop of section\r\n\t\r\nUniform Resource Locator Validation Error Vulnerability - CVE-2008-3007\r\n\r\nA remote code execution vulnerability exists in the way that Microsoft Office handles specially crafted URLs using the OneNote protocol handler (onenote://). The vulnerability could allow remote code execution if a user clicks a specially crafted OneNote URL. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-3007.\r\n\t\r\nMitigating Factors for Uniform Resource Locator Validation Error Vulnerability - CVE-2008-3007\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, a Web site could contain a specially crafted link (onenote://) that is used to exploit this vulnerability. An attacker would have to convince users to visit the Web site and open a specially crafted OneNote URL, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site, and then convincing them to click the specially crafted link.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nThe vulnerability cannot be exploited automatically through previewing an e-mail. For an attack to be successful a user must click a specially crafted link that is sent in an e-mail message.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Uniform Resource Locator Validation Error Vulnerability - CVE-2008-3007\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nDisable OneNote protocol handler\r\n\r\nNote Repairing Office or installing an Office security update may undo this workaround.\r\n\r\nWarning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.\r\n\r\nNote We recommend backing up the registry before you edit it.\r\n\r\nTo disable the protocol handler, follow these steps:\r\n\r\nInteractive Method\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type "regedit" (without the quotation marks), and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nExpand HKEY_CLASSES_ROOT, click on OneNote and then click the Registry menu and select Export.\r\n\r\n3.\r\n\t\r\n\r\nIn the Export Registry File dialog, type \u201cOneNote registry backup.reg\u201d and press Save. This will create a backup of this registry key in the \u2018My Documents\u2019 folder by default.\r\n\r\n4.\r\n\t\r\n\r\nExpand the OneNote key, click on the URL Protocol registry value in the right pane and press the Delete key. When prompted to delete the registry value via the Confirm Value Delete dialog box select Yes.\r\n\r\nManaged Deployment Script\r\n\r\n1.\r\n\t\r\n\r\nFirst a backup copy of the registry keys can be made from a managed deployment script with the following commands:\r\n\r\nRegedit.exe /e OneNote_registry_backup.reg HKEY_CLASSES_ROOT\OneNote\r\n\r\n1.\r\n\t\r\n\r\nNext save the following to a file with a .REG extension (i.e. Delete_OneNote_URL_Protocol.reg):\r\n\r\nWindows Registry Editor Version 5.00\r\n [HKEY_CLASSES_ROOT\OneNote]\r\n "URL Protocol"=-\r\n\r\n1.\r\n\t\r\n\r\nRun the above registry script created in step 2 on the target machine with the following command:\r\n\r\nRegedit.exe /s Delete_OneNote_URL_Protocol.reg\r\n\r\nImpact of workaround.\r\n\r\nThis workaround disables the OneNote protocol handler.\r\n\r\nHow to undo the workaround.\r\n\r\nRestore the registry key by using Regedit to restore the settings saved in the .REG file.\r\n\u2022\t\r\n\r\nRedirect OneNote protocol handler to the About protocol handler\r\n\r\nNote Repairing Office or installing an Office security update may undo this workaround.\r\n\r\nWarning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.\r\n\r\nNote We recommend backing up the registry before you edit it.\r\n\r\nInteractive Method\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type "regedit" (without the quotation marks), and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nExpand HKEY_CLASSES_ROOT\PROTOCOLS and then click on Handler.\r\n\r\n3.\r\n\t\r\n\r\nOn the Edit menu click New and then click Key.\r\n\r\n4.\r\n\t\r\n\r\nIn the new key dialog type "onenote" (without the quotation marks) and press Enter.\r\n\r\n5.\r\n\t\r\n\r\nExpand the new HKEY_CLASSES_ROOT\PROTOCOLS\Handler\onenote registry key and on the Edit menu, click New and then click StringValue.\r\n\r\n6.\r\n\t\r\n\r\nIn the new string value dialog type "CLSID" (without the quotation marks).\r\n\r\n7.\r\n\t\r\n\r\nIn the right pane of the registry editor double click on the new "CLSID" registry value and type or paste the following into the "Value Data" dialog box: {3050F406-98B5-11CF-BB82-00AA00BDCE0B} and then press the OK button.\r\n\r\nManaged Deployment Script\r\n\r\n1.\r\n\t\r\n\r\nSave the following to a file with a .REG extension (i.e. OneNote_Handler.reg):\r\n\r\nWindows Registry Editor Version 5.00\r\n[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\onenote]\r\n"CLSID"="{3050F406-98B5-11CF-BB82-00AA00BDCE0B}"\r\n\r\n1.\r\n\t\r\n\r\nRun the above registry script created in step 1 on the target machine with the following command:\r\n\r\nRegedit.exe /s OneNote_Handler.reg\r\n\r\nImpact of workaround.\r\n\r\nThis workaround redirects the OneNote protocol handler to the About protocol handler.\r\n\r\nHow to undo the workaround.\r\n\u2022\t\r\n\r\nInteractive\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type "regedit" (without the quotation marks), and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nExpand HKEY_CLASSES_ROOT\PROTOCOLS\Handler\r\n\r\n3.\r\n\t\r\n\r\nClick on the onenote registry key and then press the Delete key.\r\n\r\n4.\r\n\t\r\n\r\nWhen prompted to delete the registry value via the Confirm Key Delete dialog box, select Yes.\r\n\u2022\t\r\n\r\nManaged Deployment Script\r\n\r\n1.\r\n\t\r\n\r\nSave the following to a file with a .REG extension (i.e. Delete_OneNote_Handler.reg):\r\n\r\nWindows Registry Editor Version 5.00\r\n[-HKEY_CLASSES_ROOT\PROTOCOLS\Handler\onenote]\r\n\r\n1.\r\n\t\r\n\r\nRun the above registry script created in step 2 on the target machine with the following command:\r\n\r\nRegedit.exe /s Delete_OneNote_Handler.reg\r\n\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Uniform Resource Locator Validation Error Vulnerability - CVE-2008-3007\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is caused by a validation error that occurs when a specially crafted uniform resource locator is passed to open a specially crafted OneNote file.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could take complete control of an affected system. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nIn a Web-based attack scenario, an attacker could convince a user to click on a specially crafted uniform resource locator that references a specially crafted OneNote file leading to remote code execution.\r\n\r\nWhat is the component affected by the vulnerability? \r\nOffice OneNote 2007 is a digital notebook that provides people one place to gather their notes and information, powerful search to find what they are looking for quickly, and easy-to-use shared notebooks so that they can manage information overload and work together more effectively.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nSystems where the affected software is used, such as workstations and terminal servers, are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update removes the vulnerability by modifying the way that Microsoft Office validates uniform resource locators.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nOther Information\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nBrett Moore of Insomnia Security for reporting the Uniform Resource Locator Validation Error Vulnerability (CVE-2008-3007).\r\nTop of sectionTop of section\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 (September 9, 2008): Bulletin published.", "edition": 1, "modified": "2008-09-10T00:00:00", "published": "2008-09-10T00:00:00", "id": "SECURITYVULNS:DOC:20485", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20485", "title": "Microsoft Security Bulletin MS08-055 \u2013 Critical Vulnerability in Microsoft Office Could Allow Remote Code Execution (955047)", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}