Microsoft Security Bulletin MS08-055 – Critical Vulnerability in Microsoft Office Could Allow Remote Code Execution (955047)

Microsoft Security Bulletin MS08-055 – Critical
Vulnerability in Microsoft Office Could Allow Remote Code Execution (955047)
Published: September 9, 2008

Version: 1.0
General Information
Executive Summary

This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user clicks a specially crafted OneNote URL. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for supported editions of Microsoft Office OneNote 2007 and rated Important for supported editions of Microsoft Office XP, Microsoft Office 2003, and 2007 Microsoft Office System. For more information, see the subsection, Affected and Non-Affected Software, in this section.

This security update addresses the vulnerability by modifying the way that Microsoft Office validates uniform resource locators. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update immediately.

Known Issues. None
Top of sectionTop of section
Affected and Non-Affected Software

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

Affected Software
Office Suite and Other Software Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update
Microsoft Office Suites and Components

Microsoft Office XP Service Pack 3
(KB953405)

Remote Code Execution

Important

MS08-016

Microsoft Office 2003 Service Pack 2
(KB953404)

Remote Code Execution

Important

MS08-016

Microsoft Office 2003 Service Pack 3
(KB953404)

Remote Code Execution

Important

None

2007 Microsoft Office System
(KB951944)

Remote Code Execution

Important

MS07-025

2007 Microsoft Office System Service Pack 1
(KB951944)

Remote Code Execution

Important

None
Other Office Software

Microsoft Office OneNote 2007
(KB950130)

Microsoft Office OneNote 2007 Service Pack 1
(KB950130)

Remote Code Execution

Critical

None

Non-Affected Software
Office and Other Software

Microsoft Office 2000 Service Pack 3

Microsoft Office OneNote 2003 Service Pack 2

Microsoft Office OneNote 2003 Service Pack 3

Microsoft Office 2004 for Mac

Microsoft Office 2008 for Mac

Microsoft Visual Studio 2008

Microsoft Visual Studio 2008 Service Pack 1

Microsoft Expression Web

Microsoft Expression Web 2
Top of sectionTop of section

Frequently Asked Questions (FAQ) Related to This Security Update

Where are the file information details?
The file information details can be found in Microsoft Knowledge Base Article 955047.

MS08-052 also describes vulnerabilities in Microsoft Office XP Service Pack 3? How does MS08-052 relate to this bulletin (MS08-055)?
As part of the cumulative servicing model for Microsoft Office XP, this security update for Microsoft Office XP Service Pack 3 (KB953405) also addresses the vulnerabilities described in MS08-052. Users with Microsoft Office XP Service Pack 3 installed will have to install this security update but will only need to install it once.

I have Visual Studio 2008, Expression Web, or Expression Web 2 installed, why am I being offered this update?
Visual Studio 2008, Expression Web, and Expression Web 2 are not affected by this vulnerability, and you do not need to install the update. Visual Studio 2008, Expression Web, and Expression Web 2 contain the vulnerable shared office components, but do not access the vulnerable code. However, because the vulnerable code is present, this update will be offered.

Why is Microsoft Office listed as affected software for this update?
Microsoft Office XP, Microsoft Office 2003, and 2007 Microsoft Office System include a set of shared components used for shared Office functionality. This security update addresses the vulnerability by updating shared Office components.

Why is this update rated Critical severity for OneNote 2007 and OneNote 2007 Service Pack 1, but rated Important for other affected software?
Although this security update addresses the vulnerability by updating files used in shared Office functionality, for the vulnerability to be exploited, OneNote 2007 must be installed and the user would still have to click a specially crafted OneNote URL.

I use Microsoft Office 2003 Service Pack 2. Are any additional security features included in this update?
Yes, as part of the servicing model for Microsoft Office 2003, when users of Microsoft Office 2003 Service Pack 2 install this update, their systems will be upgraded to security functionality that was initially released with Microsoft Office 2003 Service Pack 3. All updates released after January 1, 2008 for Microsoft Office 2003 Service Pack 2 will include these security features, which were introduced in Microsoft Office 2003 Service Pack 3. We have thoroughly tested this update, but as with all updates, we recommend that users perform testing appropriate to the environment and configuration of their systems. For more information on this issue, please see Microsoft Knowledge Base Article 951646.

I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.

It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit Microsoft Support Lifecycle. For more information about the extended security update support period for these software versions or editions, visit Microsoft Product Support Services.

Customers who require custom support for older releases must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit Microsoft Worldwide Information, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.
Top of sectionTop of section
Vulnerability Information

Severity Ratings and Vulnerability Identifiers
Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software Uniform Resource Locator Validation Error Vulnerability - CVE-2008-3007 Aggregate Severity Rating
Microsoft Office Suites and Components

Microsoft Office XP Service Pack 3

Important

Important

Microsoft Office 2003 Service Pack 2 and Microsoft Office 2003 Service Pack 3

Important

Important

2007 Microsoft Office System

Important

Important

2007 Microsoft Office System Service Pack 1

Important

Important
Other Office Software

Microsoft Office OneNote 2007 and Microsoft Office OneNote 2007 Service Pack 1

Critical

Critical
Top of sectionTop of section

Uniform Resource Locator Validation Error Vulnerability - CVE-2008-3007

A remote code execution vulnerability exists in the way that Microsoft Office handles specially crafted URLs using the OneNote protocol handler (onenote://). The vulnerability could allow remote code execution if a user clicks a specially crafted OneNote URL. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-3007.

Mitigating Factors for Uniform Resource Locator Validation Error Vulnerability - CVE-2008-3007

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
•

In a Web-based attack scenario, a Web site could contain a specially crafted link (onenote://) that is used to exploit this vulnerability. An attacker would have to convince users to visit the Web site and open a specially crafted OneNote URL, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site, and then convincing them to click the specially crafted link.
•

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
•

The vulnerability cannot be exploited automatically through previewing an e-mail. For an attack to be successful a user must click a specially crafted link that is sent in an e-mail message.
Top of sectionTop of section

Workarounds for Uniform Resource Locator Validation Error Vulnerability - CVE-2008-3007

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:
•

Disable OneNote protocol handler

Note Repairing Office or installing an Office security update may undo this workaround.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

Note We recommend backing up the registry before you edit it.

To disable the protocol handler, follow these steps:

Interactive Method

Click Start, click Run, type "regedit" (without the quotation marks), and then click OK.

Expand HKEY_CLASSES_ROOT, click on OneNote and then click the Registry menu and select Export.

In the Export Registry File dialog, type “OneNote registry backup.reg” and press Save. This will create a backup of this registry key in the ‘My Documents’ folder by default.

Expand the OneNote key, click on the URL Protocol registry value in the right pane and press the Delete key. When prompted to delete the registry value via the Confirm Value Delete dialog box select Yes.

Managed Deployment Script

First a backup copy of the registry keys can be made from a managed deployment script with the following commands:

Regedit.exe /e OneNote_registry_backup.reg HKEY_CLASSES_ROOT\OneNote

Next save the following to a file with a .REG extension (i.e. Delete_OneNote_URL_Protocol.reg):

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\OneNote]
"URL Protocol"=-

Run the above registry script created in step 2 on the target machine with the following command:

Regedit.exe /s Delete_OneNote_URL_Protocol.reg

Impact of workaround.

This workaround disables the OneNote protocol handler.

How to undo the workaround.

Restore the registry key by using Regedit to restore the settings saved in the .REG file.
•

Redirect OneNote protocol handler to the About protocol handler

Note Repairing Office or installing an Office security update may undo this workaround.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

Note We recommend backing up the registry before you edit it.

Interactive Method

Click Start, click Run, type "regedit" (without the quotation marks), and then click OK.

Expand HKEY_CLASSES_ROOT\PROTOCOLS and then click on Handler.

On the Edit menu click New and then click Key.

In the new key dialog type "onenote" (without the quotation marks) and press Enter.

Expand the new HKEY_CLASSES_ROOT\PROTOCOLS\Handler\onenote registry key and on the Edit menu, click New and then click StringValue.

In the new string value dialog type "CLSID" (without the quotation marks).

In the right pane of the registry editor double click on the new "CLSID" registry value and type or paste the following into the "Value Data" dialog box: {3050F406-98B5-11CF-BB82-00AA00BDCE0B} and then press the OK button.

Managed Deployment Script

Save the following to a file with a .REG extension (i.e. OneNote_Handler.reg):

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\onenote]
"CLSID"="{3050F406-98B5-11CF-BB82-00AA00BDCE0B}"

Run the above registry script created in step 1 on the target machine with the following command:

Regedit.exe /s OneNote_Handler.reg

Impact of workaround.

This workaround redirects the OneNote protocol handler to the About protocol handler.

How to undo the workaround.
•

Interactive

Click Start, click Run, type "regedit" (without the quotation marks), and then click OK.

Expand HKEY_CLASSES_ROOT\PROTOCOLS\Handler

Click on the onenote registry key and then press the Delete key.

When prompted to delete the registry value via the Confirm Key Delete dialog box, select Yes.
•

Managed Deployment Script

Save the following to a file with a .REG extension (i.e. Delete_OneNote_Handler.reg):

Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\PROTOCOLS\Handler\onenote]

Run the above registry script created in step 2 on the target machine with the following command:

Regedit.exe /s Delete_OneNote_Handler.reg

Top of sectionTop of section

FAQ for Uniform Resource Locator Validation Error Vulnerability - CVE-2008-3007

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

What causes the vulnerability?
The vulnerability is caused by a validation error that occurs when a specially crafted uniform resource locator is passed to open a specially crafted OneNote file.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of an affected system. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?
In a Web-based attack scenario, an attacker could convince a user to click on a specially crafted uniform resource locator that references a specially crafted OneNote file leading to remote code execution.

What is the component affected by the vulnerability?
Office OneNote 2007 is a digital notebook that provides people one place to gather their notes and information, powerful search to find what they are looking for quickly, and easy-to-use shared notebooks so that they can manage information overload and work together more effectively.

What systems are primarily at risk from the vulnerability?
Systems where the affected software is used, such as workstations and terminal servers, are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

What does the update do?
The update removes the vulnerability by modifying the way that Microsoft Office validates uniform resource locators.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Other Information
Acknowledgments

Microsoft thanks the following for working with us to help protect customers:
•

Brett Moore of Insomnia Security for reporting the Uniform Resource Locator Validation Error Vulnerability (CVE-2008-3007).
Top of sectionTop of section
Support
•

Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
•

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions
•

V1.0 (September 9, 2008): Bulletin published.