Heads up ISA Server 2004/2006 admins: Vulnerability in Microsoft Office Web Components ActiveX Could Allow Remote Code Execution

For ones that did not figure this yet, ISA Server is a not a desktop and should not be used for web browsing.

 

There is a reported 0-day vulnerability affecting Microsoft Office Web Components Spreadsheet ActiveX control (OWC 10 and OWC11).

These are not installed by default on Windows, but they can be installed with several products, including:
- Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3
- Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3
- Microsoft Internet Security and Acceleration Server 2006
- Internet Security and Acceleration Server 2006 Supportability Update
- Microsoft Internet Security and Acceleration Server 2006 Service Pack 1

Non-affected:
- Microsoft Forefront Threat Management Gateway, Medium Business Edition
- Microsoft Internet Security and Acceleration Server 2000 Service Pack 2

 

By default, on Windows Server 2003, IE Enhanced Security Configuration (ESC) should be on and ActiveX controls will not load in the Internet Zone on Windows Server 2003 if a user uses default settings when browsing, as this vulnerability could be used for remote code execution in a "browse and get owned" scenario. If the user is logged with administrative rights, an attacker could take complete control of the vulnerable system.

 

As writing, I’m not sure what “part” of ISA Server(ISA Server firewall services, CCS, ISA Server Management) should be installed to install those components, to say what ISA “related” machines are affected, (but as can be seen from above it affects the Internet Security and Acceleration Server 2006 Supportability Update, which can be installed to provide ISA Server 2006 with the functionality that was introduced in ISA Server 2004 Service Pack 3, for example an improvement to the ISA Server Management console like the new Troubleshooting node.).

 

You can check on every ISA Server instance(every machine on which you may have installed ISA Server-ISA Server firewall services, CCS, ISA Server Management-) on your network to see if you are at risk using Microsoft tool ClassId.cs found here:
http://blogs.technet.com/srd/archive/2008/02/03/activex-controls.aspx
On how to do that, please refer to Microsoft Security Research & Defense blog post More information about the Office Web Components ActiveX vulnerability.

 

As writing, there is no patch, but there is a workaround(which can be automated for enterprise deployment), you can set killbit for the specific CLSIDs:
  {0002E541-0000-0000-C000-000000000046}
  {0002E559-0000-0000-C000-000000000046}
For further details see the Workarounds area of:
http://www.microsoft.com/technet/security/advisory/973472.mspx
You can head over to the bellow link and see how to implement this workaround automatically:
http://support.microsoft.com/kb/973472

 

References:
- Microsoft Security Advisory (973472), Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution: http://www.microsoft.com/technet/security/advisory/973472.mspx
- Microsoft Security Advisory: Vulnerability in Microsoft Office Web Components control could allow remote code execution: http://support.microsoft.com/kb/973472
- Microsoft Security Research & Defense blog: More information about the Office Web Components ActiveX vulnerability.
- The Microsoft Security Response Center (MSRC) blog: http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx
- Internet Explorer Enhanced Security Configuration Considerations http://technet.microsoft.com/en-us/library/cc780445(WS.10).aspx

- http://isc.sans.org/diary.html?storyid=6778
- http://secunia.com/advisories/35800/
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1136

Comments are closed