CyberSec.Space Logo
Back to CVE Browser

CVE-2009-1136

CRITICAL
9.3
CVSS Severity Score
EPSS Score0.1110%
EPSS Percentile11.43th
PublishedJul 15, 2009
Last ModifiedApr 23, 2026

Vulnerability Description

The Microsoft Office Web Components Spreadsheet ActiveX control (aka OWC10 or OWC11), as distributed in Office XP SP3 and Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 Gold and SP1, and Office Small Business Accounting 2006, when used in Internet Explorer, allows remote attackers to execute arbitrary code via a crafted call to the msDataSourceObject method, as exploited in the wild in July and August 2009, aka "Office Web Components HTML Script Vulnerability."

Affected Platforms (CPE)

πŸ“¦
Microsoft

Isa Server

= 2004
πŸ“¦
Microsoft

Isa Server

= 2004
πŸ“¦
Microsoft

Isa Server

= 2006
πŸ“¦
Microsoft

Isa Server

= 2006
πŸ“¦
Microsoft

Isa Server

= 2006
πŸ“¦
Microsoft

Office

= 2003
πŸ“¦
Microsoft

Office

= 2003
πŸ“¦
Microsoft

Office Web Components

= 2003
πŸ“¦
Microsoft

Office Web Components

= 2003
πŸ“¦
Microsoft

Office Web Components

= xp
πŸ“¦
Microsoft

Office Xp

= sp3

References & Advisories

πŸ”— http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx
πŸ”— http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx
πŸ”— http://isc.sans.org/diary.html?storyid=6778
πŸ”— http://trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/owc_spreadsheet_msdso.rb
πŸ”— http://www.microsoft.com/technet/security/advisory/973472.mspx
πŸ”— http://www.us-cert.gov/cas/techalerts/TA09-223A.html
πŸ”— http://xeye.us/blog/2009/07/one-0day/
πŸ”— https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-043

Related Vulnerabilities

CVE-2006-702710.0

Microsoft Internet Security and Acceleration (ISA) Server 2004 logs unusual ASCII characters in the Host header, including the tab...

CVE-2006-662710.0

Integer overflow in the packed PE file parsing implementation in BitDefender products before 20060829, including Antivirus, Antivi...

CVE-2009-05629.3

The Office Web Components ActiveX Control in Microsoft Office XP SP3, Office 2003 SP3, Office XP Web Components SP3, Office 2003 W...

CVE-2009-24969.3

Heap-based buffer overflow in the Office Web Components ActiveX Control in Microsoft Office XP SP3, Office 2003 SP3, Office XP Web...