MS OneNote Handler Vulnerability

September 11, 2008

Microsoft Office OneNote is a new component of the Microsoft Office Suite. Microsoft Office OneNote is a digital notebook that provides people one place to gather their notes and information, powerful search to find what they are looking for quickly, and easy-to-use shared notebooks so that they can manage information overload and work together more effectively.

Microsoft Office OneNote registers a protocol handler with the Windows registry, named "onenote" with the format "onenote://". This handler enables the OneNote executable to be launched from the Microsoft Internet Explorer browser. The onenote handler, however, can trigger a buffer-overrun vulnerability in mso.dll, which can cause malicious executable code injected and executed in the target client.

Microsoft has released an advisory MS08-055 to address this vulnerability, which can be found here. In this advisory, the Maximum Security Impact of this vulnerability is scored as CRITICAL. To protect the SonicWALL customers from being affected by this vulnerability, the SonicWALL UTM team has developed the following IPS signatures:

  • 3482 MS OneNote URL Validation Error 4 (MS08-055)
  • 3479 MS OneNote URL Validation Error 3 (MS08-055)
  • 3476 MS OneNote URL Validation Error 2 (MS08-055)
  • 3474 MS OneNote URL Validation Error 1 (MS08-055)