Microsoft Office CDO Protocol Bug Lets Remote Users Execute Arbitrary Scripting Code
|
|
SecurityTracker Alert ID: 1021045 |
|
SecurityTracker URL: http://securitytracker.com/id/1021045
|
|
CVE Reference:
CVE-2008-4020
(Links to External Site)
|
Date: Oct 14 2008
|
Impact:
Disclosure of system information, Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): XP SP3
|
Description:
A vulnerability was reported in Microsoft Office. A remote user can access information on the target user's system.
The CDO Protocol (cdo:) does not properly process the 'content-disposition: attachment' header. A remote user can create a CDO URL that, when loaded by the target user, will execute arbitrary scripting code on the target user's browser. The code can access information on the target user's system.
NetAgent Co., Ltd. reported this vulnerability.
|
Impact:
A remote user can access information on the target user's system.
|
Solution:
The vendor has issued the following fix:
Microsoft Office XP Service Pack 3:
http://www.microsoft.com/downloads/details.aspx?familyid=b1aee2d5-bfa0-40e3-91b6-98bf65524e8c
A restart is not required.
The Microsoft advisory is available at:
http://www.microsoft.com/technet/security/bulletin/ms08-056.mspx
|
Vendor URL: www.microsoft.com/technet/security/bulletin/ms08-056.mspx (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 14 Oct 2008 13:50:26 -0400
Subject: http://www.microsoft.com/technet/security/bulletin/ms08-056.mspx
|
Microsoft Security Bulletin MS08-056 - Moderate: Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)
CVE-2008-4020
|
|
