Update1: The vulnerability is being actively exploited on web sites. More to follow.

Microsoft has released an advisory related to an Office Web Components ActiveX vulnerability, it is available here. This vulnerability exists in the ActiveX control used by IE to display Excel spreadsheets. The CVE entry for the vulnerability is CVE-2009-1136. Microsoft mentions that they are aware of active exploits against this vulnerability, although we at the SANS Internet Storm Center haven't seen it used or mentioned in public as of yet (this has changed, we are seeing active exploit pages). Which may tend to indicate it has been used in targeted rather than broad based attacks. At the moment there is no patch, there is a workaround, and it can be automated for enterprise deployment. The specific CLSIDs to set the killbit for are:

{0002E541-0000-0000-C000-000000000046}

{0002E559-0000-0000-C000-000000000046}

Start working on this on ASAP. The impact is remote code execution with the privileges of the logged in user running Internet Explorer, and might not require user intervention. As in browse to a nasty web site and be pwn3d.

Advisory: http://www.microsoft.com/technet/security/advisory/973472.mspx

KB article: http://support.microsoft.com/kb/973472

SRD blog: http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx

MSRC blog: http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx

There is a long list of affected products:

Microsoft Office XP Service Pack 3;

Microsoft Office 2003 Service Pack 3;

Microsoft Office XP Web Components Service Pack 3;

Microsoft Office Web Components 2003 Service Pack 3;

Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1;

Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3;

Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3;

Microsoft Internet Security and Acceleration Server 2006;

Internet Security and Acceleration Server 2006 Supportability Update;

Microsoft Internet Security and Acceleration Server 2006 Service Pack 1; and

Microsoft Office Small Business Accounting 2006.

For information on how to prevent ActiveX controls from running check out this Microsoft KB article on modifying the registry. This article describes how to deploy using Active Directory. If you have administrative privileges on a single system and are running Internet Explorer, you can click on this 'fixit' link to set the killbit and mitigate the vulnerability on a home computer for example.

Update1: The vulnerability is being actively exploited on web sites. More to follow.

Update2: One other obvious mitigation step is to use an alternate web browser (as in other than IE) that does not make use of ActiveX.

Update3: We have raised the Infocon to yellow for 24 hours due to the active exploitation of this vulnerability.

Update4: We will be updating our existing diary post of domains to block with domains that are hosting this exploit as well. You can see that diary entry at the following url. http://isc.sans.org/diary.html?storyid=6739 (newly added domains are in yellow) - AndreL

Update5: Attack vectors used to exploit this vulnerability.

The now known public attempts to exploit the vulnerability, attackers just modify the code with a fresh download and payload to slightly modified malware. A .cn domain using a heavily obfuscated version of the exploit - which may become an attack kit (think MPACK)and is similar to recent DirectShow attacks. A highly targeted attack against an organization earlier today who received a Microsoft Office document with embedded HTML. This one was particularly nasty, it was specifically crafted for the target - with the document being tailored with appropriate contact information and subject matter that were specific to the targeted recipient. Analysis of the document and secondary payload found the attacker used a firewall on the malicious server so that all IP traffic outside of the targeted victim's domain/IP range would not reach with the server.

Update6: This blog has additional information, with examples of code that may have been used in this attack. hxxp://safelab.spaces.live.com/blog/cns!A6B213403DBD59AF!1463.entry (obscured on purpose, some AV products will trigger accessing the page. Another example is here: hxxp://xeye.us/blog/2009/07/ one-0day/

One part of a signature looking for the exploit would be ActiveXObject("OWC10.Spreadsheet"), which could also be used for legitimate web applications trying to open a spreadsheet.

Update7: attempt at snort sigs (until something better comes along):

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MS 0day Excel ActiveX1 CVE-2009-1136 ref isc.sans.org/diary.html?storyid=6778"; flow:from_server, established; content:"0002E559-0000-0000-C000-000000000046"; nocase; pcre:"/<OBJECTs+[^>]*classids*=s*[x22x27]?s*clsids*x3as* x7B?s*0002E559-0000-0000-C000-000000000046/si"; classtype:attempted-user; sid:1000099; rev:1;)



alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MS 0day Excel ActiveX2 CVE-2009-1136 ref isc.sans.org/diary.html?storyid=6778"; flow:from_server, established; content:"0002E541-0000-0000-C000-000000000046"; nocase; pcre:"/<OBJECTs+[^>]*classids*=s*[x22x27]?s*clsids*x3as* x7B?s*0002E541-0000-0000-C000-000000000046/si"; classtype:attempted-user; sid:1000101; rev:1;)

Update8: Metasploit have released a module exploiting the vulnerability.

Update9: Matt Hrynkow and John Silvestri have submitted .ADM files for use in Active Directory GPO templates for setting the ActiveX killbits for last week's and this weeks vulnerabilities. Here is the one for The MS Office Web Object 973472 CVE-2009-1136.

--Start here--

CLASS MACHINE



CATEGORY "Windows Components"



CATEGORY "Internet Explorer"

POLICY "Internet Explorer - ActiveX Compatibility Disable for Microsoft Office Web Components"

#if version >= 3

EXPLAIN !!EXPLAIN1

#endif

KEYNAME "SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{011B3619-FE63-4814-8A84-15A194CE9CE3}"

VALUENAME "Compatibility Flags"

VALUEON NUMERIC 1024

VALUEOFF NUMERIC 0

ACTIONLISTON

KEYNAME "SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0002E541-0000-0000-C000-000000000046}"

VALUENAME "Compatibility Flags" VALUE NUMERIC 1024

KEYNAME "SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0002E559-0000-0000-C000-000000000046}"

VALUENAME "Compatibility Flags" VALUE NUMERIC 1024

END ACTIONLISTON

ACTIONLISTOFF

KEYNAME "SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0002E541-0000-0000-C000-000000000046}"

VALUENAME "Compatibility Flags" VALUE NUMERIC 0

KEYNAME "SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0002E559-0000-0000-C000-000000000046}"

VALUENAME "Compatibility Flags" VALUE NUMERIC 0

END ACTIONLISTOFF

END POLICY ;Internet Explorer - ActiveX Compatibility Disable for OWC10_and_OWC11



END CATEGORY ;Internet Explorer

END CATEGORY ;Windows Components



CLASS USER

[Strings]

EXPLAIN1 =Enable this policy to implement workaround documented for Microsoft Security Advisory (973472)nnnhttp://www.microsoft.com/technet/security/advisory/973472.mspxnhttp://isc.sans.org/diary.html?storyid=6778n

--End here--

Update10: This MSDN blog has 32 and 64 bit versions of the Active Directory GPO ADM files and .reg files that should mitigate this vulnerability: http://blogs.msdn.com/askie/archive/2009/07/14/group-policy-adm-template-to-implement-the-workaround-from-security-advisory-973472.aspx The one posted above in Update9 apparently only works on 32 bit, and is missing the backslashes. Thanks Jim and Brian for letting us know.



If you see exploit code for this vulnerability, or have knowledge of it being used in an attack please let us know via our contact page.

Thanks to all who have contributed to this diary!

Cheers,

Adrien de Beaupré

Intru-shun.ca Inc.