9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.967 High
EPSS
Percentile
99.6%
Added: 07/14/2009
CVE: CVE-2009-1136
BID: 35642
OSVDB: 55806
Microsoft Office Web Components (OWC) are a group of OLE classes implemented as ActiveX controls.
A memory corruption vulnerability allows command execution when a web page passes a specially crafted parameter to the Evaluate method of the OWC.Spreadsheet ActiveX control.
Set the kill bits on the {0002E541-0000-0000-C000-000000000046} and {0002E559-0000-0000-C000-000000000046} class IDs as described in Microsoft Knowledge Base Article 240797.
<http://www.microsoft.com/technet/security/advisory/973472.mspx>
Exploit works on Microsoft Office XP and 2003 SP3 and requires a user to open the exploit page in Internet Explorer 6 or 7.
The success of this exploit may depend on the state of the targetβs memory.
Windows