Microsoft Office OneNote URL Handler Remote Code Execution Vulnerability

Bugtraq ID:	31067
Class:	Boundary Condition Error
CVE:	CVE-2008-3007
Remote:	Yes
Local:	No
Published:	Sep 09 2008 12:00AM
Updated:	Sep 25 2008 07:09PM
Credit:	Brett Moore of Insomnia Security
Vulnerable:	Microsoft OneNote 2007 SP1 Microsoft OneNote 2007 0 Microsoft Office XP SP3 + Microsoft Excel 2002 SP3 + Microsoft Excel 2002 SP3 + Microsoft FrontPage 2002 SP3 + Microsoft FrontPage 2002 SP3 + Microsoft Outlook 2002 SP3 + Microsoft Outlook 2002 SP3 + Microsoft PowerPoint 2002 SP3 + Microsoft PowerPoint 2002 SP3 + Microsoft Publisher 2002 SP3 + Microsoft Publisher 2002 SP3 Microsoft Office XP SP2 - Microsoft Windows 2000 Professional SP3 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 98 - Microsoft Windows 98SE - Microsoft Windows ME - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 - Microsoft Windows XP Home SP1 - Microsoft Windows XP Home - Microsoft Windows XP Professional SP1 - Microsoft Windows XP Professional Microsoft Office XP SP1 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 98 - Microsoft Windows ME - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 - Microsoft Windows XP Home - Microsoft Windows XP Professional Microsoft Office XP - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 98 - Microsoft Windows ME - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 - Microsoft Windows XP Home - Microsoft Windows XP Professional Microsoft Office 2007 SP1 Microsoft Office 2007 0 + Microsoft Access 2007 0 + Microsoft Access 2007 0 + Microsoft Excel 2003 + Microsoft Excel 2007 0 + Microsoft Excel 2007 0 + Microsoft FrontPage 2003 + Microsoft Groove 2007 0 + Microsoft Groove 2007 0 + Microsoft InfoPath 2003 + Microsoft InfoPath 2007 0 + Microsoft InfoPath 2007 0 + Microsoft Office Communicator 2007 0 + Microsoft Office Communicator 2007 0 + Microsoft OneNote 2003 0 + Microsoft Outlook 2003 0 + Microsoft Outlook 2007 0 + Microsoft Outlook 2007 0 + Microsoft PowerPoint 2003 0 + Microsoft PowerPoint 2007 0 + Microsoft PowerPoint 2007 0 + Microsoft Project Professional 2007 0 + Microsoft Project Professional 2007 0 + Microsoft Project Standard 2007 0 + Microsoft Project Standard 2007 0 + Microsoft Publisher 2003 + Microsoft Publisher 2007 0 + Microsoft Publisher 2007 0 + Microsoft SharePoint Designer 2007 0 + Microsoft SharePoint Designer 2007 0 + Microsoft Visio Professional 2007 0 + Microsoft Visio Professional 2007 0 + Microsoft Visio Standard 2007 0 + Microsoft Visio Standard 2007 0 Microsoft Office 2003 SP3 Microsoft Office 2003 SP2 Microsoft Office 2003 SP1 Microsoft Office 2003 0 + Microsoft Excel 2003 + Microsoft FrontPage 2003 + Microsoft InfoPath 2003 + Microsoft OneNote 2003 0 + Microsoft Outlook 2003 0 + Microsoft PowerPoint 2003 0 + Microsoft Publisher 2003 HP Storage Management Appliance III HP Storage Management Appliance II HP Storage Management Appliance I HP Storage Management Appliance 2.1 + HP Storage Management Appliance III + HP Storage Management Appliance II + HP Storage Management Appliance I
Not Vulnerable:

Microsoft Office OneNote URL Handler Remote Code Execution Vulnerability

Microsoft Office OneNote is prone to a remote code-execution vulnerability.

An attacker could exploit this issue by enticing a victim to follow maliciously crafted URIs.

Successfully exploiting this issue would allow the attacker to execute arbitrary code in the context of the currently logged-in user.

Microsoft Office OneNote URL Handler Remote Code Execution Vulnerability

Currently we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Microsoft Office OneNote URL Handler Remote Code Execution Vulnerability

Solution:
The vendor has released an advisory and updates. Please see the references for more information.


Microsoft Office XP SP3

• Microsoft Security Update for Microsoft Office XP (KB953405)
  http://www.microsoft.com/downloads/details.aspx?familyid=ef3de64c-fc17 -4500-9da4-a3bba97fda6d

Microsoft OneNote 2007 0

• Microsoft Security Update for Microsoft Office OneNote 2007 (KB955047)
  http://www.microsoft.com/downloads/details.aspx?familyid=8ac3576c-7873 -4ac6-8bbc-033f6a7bb395

Microsoft Office 2003 SP2

• Microsoft Security Update for Microsoft Office 2003 (KB953404)
  http://www.microsoft.com/downloads/details.aspx?familyid=e670ad22-d3c1 -41f7-ba30-6a67139feaa3

Microsoft Office XP SP2

• Microsoft Security Update for Microsoft Office XP (KB953405)
  http://www.microsoft.com/downloads/details.aspx?familyid=ef3de64c-fc17 -4500-9da4-a3bba97fda6d

Microsoft Office 2007 SP1

• Microsoft Security Update for Microsoft Office 2007 (KB955047)
  2007 Microsoft Office System Service Pack 1
  http://www.microsoft.com/downloads/details.aspx?familyid=fb457536-26c5 -428b-97e4-1fc13718266e

Microsoft OneNote 2007 SP1

• Microsoft Security Update for Microsoft Office OneNote 2007 (KB955047)
  http://www.microsoft.com/downloads/details.aspx?familyid=8ac3576c-7873 -4ac6-8bbc-033f6a7bb395

Microsoft Office 2003 SP3

• Microsoft Security Update for Microsoft Office 2003 (KB953404)
  http://www.microsoft.com/downloads/details.aspx?familyid=e670ad22-d3c1 -41f7-ba30-6a67139feaa3

Microsoft Office 2007 0

• Microsoft Security Update for Microsoft Office 2007 (KB955047)
  2007 Microsoft Office System Service Pack 1
  http://www.microsoft.com/downloads/details.aspx?familyid=fb457536-26c5 -428b-97e4-1fc13718266e

Microsoft Office XP SP1

• Microsoft Security Update for Microsoft Office XP (KB953405)
  http://www.microsoft.com/downloads/details.aspx?familyid=ef3de64c-fc17 -4500-9da4-a3bba97fda6d

Microsoft Office XP

• Microsoft Security Update for Microsoft Office XP (KB953405)
  http://www.microsoft.com/downloads/details.aspx?familyid=ef3de64c-fc17 -4500-9da4-a3bba97fda6d

Microsoft Office OneNote URL Handler Remote Code Execution Vulnerability

References:

• Microsoft Office Product Homepage (Microsoft)
  
• MS08-055: Microsoft security response process, behind the scenes (Microsoft)
  
• Insomnia : ISVA-080910.1 - MS Office OneNote URL Handling Vulnerability ("Brett Moore" )
  
• ISVA-080910.1 MS Office OneNote URL Handling Vulnerability (Insomnia Security)
  
• Microsoft Security Bulletin MS08-055 (Microsoft)