Strix
26.1K

CVE-2009-2496

UnknownEPSS 29.46%

Last modified

CVE-2009-2496 is a vulnerability of currently unknown severity. Heap-based buffer overflow in the Office Web Components ActiveX Control in Microsoft Office XP SP3, Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 SP1, and Office Small Business Accounting 2006 allows remote attackers to execute arbitrary code via unspecified parameters to unknown methods, aka "Office Web Components Heap Corruption Vulnerability.". EPSS estimates a 29.46% chance of exploitation in the next 30 days.

Description

Heap-based buffer overflow in the Office Web Components ActiveX Control in Microsoft Office XP SP3, Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 SP1, and Office Small Business Accounting 2006 allows remote attackers to execute arbitrary code via unspecified parameters to unknown methods, aka "Office Web Components Heap Corruption Vulnerability."

Metrics

EPSS Probability
29.46%

97.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
MicrosoftBiztalk Server2002
MicrosoftInternet Security And Acceleration Server2004Sp3
MicrosoftInternet Security And Acceleration Server2006Sp1
MicrosoftOfficeAll versions
MicrosoftOffice2003Sp3
MicrosoftOfficexpSp3
MicrosoftOffice Web Components2000Sp3
MicrosoftOffice Web Components2003Sp1
MicrosoftOffice Web ComponentsxpSp3
MicrosoftVisual Studio .Net2003Sp1

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2009-2496?
Heap-based buffer overflow in the Office Web Components ActiveX Control in Microsoft Office XP SP3, Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 SP1, and Office Small Business Accounting 2006 allows remote attackers to execute arbitrary code via unspecified parameters to unknown methods, aka "Office Web Components Heap Corruption Vulnerability."
How severe is CVE-2009-2496?
Severity scoring for CVE-2009-2496 is pending analysis. The EPSS model estimates a 29.46% probability of exploitation in the next 30 days.
How do I fix CVE-2009-2496?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2009-2496?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST