Back to KEVs

CVE-2009-1136

The Microsoft Office Web Components Spreadsheet ActiveX control (aka OWC10 or OWC11), as distributed in Office XP SP3 and Office 2003 SP3, Office...

Basic Information

CVE State
PUBLISHED
Reserved Date
March 25, 2009
Published Date
July 15, 2009
Last Updated
August 07, 2024
Vendor
Microsoft
Product
Office Web Components
Description
The Microsoft Office Web Components Spreadsheet ActiveX control (aka OWC10 or OWC11), as distributed in Office XP SP3 and Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 Gold and SP1, and Office Small Business Accounting 2006, when used in Internet Explorer, allows remote attackers to execute arbitrary code via a crafted call to the msDataSourceObject method, as exploited in the wild in July and August 2009, aka "Office Web Components HTML Script Vulnerability."
Tags
metasploit_scanner

CVSS Scores

CVSS v2.0

9.3

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploit Status

Exploited in the Wild
Yes (2009-07-15 15:00:00 UTC) Source

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5809 http://isc.sans.org/diary.html?storyid=6778 http://www.us-cert.gov/cas/techalerts/TA09-223A.html http://www.microsoft.com/technet/security/advisory/973472.mspx http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx http://xeye.us/blog/2009/07/one-0day/ http://trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/owc_spreadsheet_msdso.rb https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-043

Known Exploited Vulnerability Information

Source Added Date
CVE 2009-07-15 15:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms09_043_owc_msdso.rb 2025-04-29 11:01:32 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

ms09_043_owc_msdso

Type: metasploit • Created: Unknown

Metasploit module for CVE-2009-1136

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel

  • Detected by Metasploit