Internet threat level: 1
Home→Descriptions→SA31744
Microsoft Office OneNote URI Handling Vulnerability
| Secunia ID | |
| CVE-ID | |
| Release Date |
09 Sep 2008 |
| Last Change |
10 Sep 2008 |
| Criticality | |
| Solution Status |
Vendor Patch |
| Software |
Microsoft Office 2003 Professional Edition |
| Where | |
| Impact |
System accessThis covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user. |
| Description |
A vulnerability has been reported in Microsoft Office OneNote, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to missing input validation when processing a URI using the "onenote://" protocol handler. This can be exploited to e.g. place files on a user's system in semi-arbitrary locations or obtain all OneNote Notebooks from the user's system via a specially crafted OneNote URI. NOTE: According to the vendor, the vulnerability exists in a shared Office component, but can only be exploited on systems with OneNote 2007 installed. |
| Solution |
Apply patches. Microsoft Office XP SP3: Microsoft Office 2003 SP2: Microsoft Office 2003 SP3: 2007 Microsoft Office System: 2007 Microsoft Office System SP1: Microsoft Office OneNote 2007: Microsoft Office OneNote 2007 SP1: |
| Reported by |
Brett Moore, Insomnia Security. |
| Original Advisory |
MS08-055 (KB955047): Insomnia Security: |
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.