A memory corruption flaw exists in Office Web Components. The OWC10.Spreadsheet ActiveX control fails to validate calls to the msDataSourceObject method resulting in memory corruption. With a specially crafted website, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity.

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

• CVE ID: 2009-1136 (see also: NVD)
• Secunia Advisory ID: 35800
• SCIP VulDB ID: 4000
• Metasploit ID: 55806
• Milw0rm: 9163
• Exploit Database: 9163
• Microsoft Knowledge Base Article: 973472
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2009-08/0091.html
  http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0148.html
• Vendor Specific Advisory URL: http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx
  http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx
• Generic Exploit URL: http://d2sec.com/products.htm
  http://www.saintcorporation.com/cgi-bin/exploit_info/ms_office_web_components_spreadsheet_eval
• Other Advisory URL: http://isc.sans.org/diary.html?storyid=6778
  http://trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/owc_spreadsheet_msdso.rb [ Link is 404 ]
  http://www.fortiguardcenter.com/advisory/FGA-2009-27.html
  http://www.zerodayinitiative.com/advisories/ZDI-09-054
  http://xeye.us/blog/2009/07/one-0day/ [ Link is 404 ]
• News Article: http://www.h-online.com/security/Microsoft-2-year-response-to-critical-0-day-hole--/news/113994
• Vendor Specific News/Changelog Entry: http://www.microsoft.com/technet/security/advisory/973472.mspx
• Microsoft Security Bulletin: MS09-043

• Peter Vreugdenhil - Zero Day Initiative (ZDI)
• Haifei Li - Fortinet's FortiGuard Labs