Microsoft Security Bulletin MS08-056 - Moderate
Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)
Published: | Updated:
This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow information disclosure if a user clicks a specially crafted CDO URL. An attacker who successfully exploited this vulnerability could inject a client side script in the user's browser that could spoof content, disclose information, or take any action that the user could take on the affected Web site.
This security update is rated Moderate for supported editions of Microsoft Office XP.
The security update addresses the vulnerability by unregistering the CDO protocol. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers consider applying the security update.
Known Issues. None
The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
|Office Suite and Other Software||Maximum Security Impact||Aggregate Severity Rating||Bulletins Replaced by this Update|
|Microsoft Office XP Service Pack 3|
|Office and Other Software|
|Microsoft Office 2000 Service Pack 3|
|Microsoft Office 2003 Service Pack 2|
|Microsoft Office 2003 Service Pack 3|
|2007 Microsoft Office System|
|2007 Microsoft Office System Service Pack 1|
|Microsoft Office Excel/PowerPoint/Word Viewer 2003|
|Excel/PowerPoint/Word Viewer 2003 Service Pack 3|
|Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats|
|Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1|
|Microsoft Works 8.0|
|Microsoft Works 8.5|
|Microsoft Works 9.0|
|Microsoft Works Suite 2005|
|Microsoft Works Suite 2006|
|Microsoft Office 2004 for Mac|
|Microsoft Office 2008 for Mac|
Microsoft thanks the following for working with us to help protect customers:
- NetAgent Co., Ltd. for reporting the Vulnerability in Content Disposition Header Vulnerability (CVE-2008-4020).
- Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
- International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (October 14, 2008): Bulletin published.
- V1.1 (November 12, 2008): Corrected the removal information in the section, Security Update Deployment, to state that this security update cannot be uninstalled.