9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.853 High
EPSS
Percentile
98.5%
Added: 08/27/2009
CVE: CVE-2009-0562
BID: 35990
OSVDB: 56914
Microsoft Office Web Components (OWC) are a group of OLE classes implemented as ActiveX controls.
A heap memory corruption vulnerability in the **OWC10.DataSourceControl**
ActiveX control allows command execution when a user opens a web page which loads and unloads this control.
Apply the update referenced in Microsoft Security Bulletin 09-043.
<http://www.microsoft.com/technet/security/Bulletin/MS09-043.mspx>
Exploit works on Microsoft Office 2003 SP3 on Windows XP SP3 English with DEP enabled and requires a user to load the exploit page in Internet Explorer 6 or 7. After the published page is loaded in Internet Explorer, the target user must move the mouse in order to trigger the vulnerability. Note that this exploit is not 100% reliable due to the nature of heap memory corruption.
Windows XP