OWC Remote Code Execution

August 27, 2009

Microsoft Office Web Components (OWC) provide a mechanism for data analysis and visualization. OWC can be divided into two groups -- visible components and data controls. The data controls provide methods for connecting to data sources and retrieving data. If the control is instantiated, it attempts to provide data binding to the server controls. If the binding fails, it may release the object.

A memory corruption vulnerability exists in Microsoft Office Web Components controls. Specifically, the vulnerability exists in the initialization and release of the control object. In case that loading and releasing of the vulnerable control is repeated multiple times (through script code), the object attempts to read data from corrupted heap memory; as a result, flow of code execution may be changed. Remote attackers could exploit this vulnerability by enticing a target user to visit a maliciously crafted web page. Successful exploitation would result in code execution with the privileges of the logged in user. This vulnerability has been assigned as CVE-2009-0562.

By default the affected ActiveX controls are not installed on any Windows platform. However they are often installed with the popular MS Office suite and some server applications. This makes for a very large base of affected users.

The ClassIDs of the affected controls are:


The affected controls can also be instantiated using ProgIDs:


SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 3144 - MS Office Web Components Remote Code Execution Attempt (MS09-043)