Microsoft is having a bad week and I seem to be equating that with LOL Cats. Go figure. A few days back the news of a zero day Direct Play vulnerability started to surface (exploit PoC). Only to find out yesterday that Microsoft knew of this vulnerability for almost a year.
Now we find that there is a zero day in the Microsoft Office Web components according to this advisory from the Redmond mothership.
From SANS:
Microsoft has released an advisory related to an Office Web Components ActiveX vulnerability, it is available here. This vulnerability exists in the ActiveX control used by IE to display Excel spreadsheets. The CVE entry for the vulnerability is CVE-2009-1136. Microsoft mentions that they are aware of active exploits against this vulnerability, although we at the SANS Internet Storm Center haven’t seen it used or mentioned in public as of yet (this has changed, we are seeing active exploit pages).
Apparently this permits remote code execution and may not require user interaction. Doesn’t bode well for the upcoming release from Microsoft…for free.
Oh, goodie (/sarcasm)
