Microsoft Office Web Components OWC.Spreadsheet.9 ActiveX Control overflow

2008-03-12T00:00:00
ID SAINT:D8AE2570C5C5F6D760F77009C9DA218F
Type saint
Reporter SAINT Corporation
Modified 2008-03-12T00:00:00

Description

Added: 03/12/2008
CVE: CVE-2006-4695
BID: 28135
OSVDB: 42711

Background

Microsoft Office Web Components (OWC) are a group of OLE classes implemented as ActiveX controls.

Problem

A buffer overflow vulnerability in the **OWC.Spreadsheet.9** ActiveX control allows command execution when a user loads a web page which instantiates this control with a long, specially crafted URL in the **CSVData** field.

Resolution

Apply the update referenced in Microsoft Security Bulletin 08-017.

References

<http://www.microsoft.com/technet/security/bulletin/MS08-017.mspx>

Limitations

Exploit works on Microsoft Office 2000 and XP and requires a user to load the exploit page in Internet Explorer.

Platforms

Windows