Microsoft Office CDO Protocol Cross Site Scripting Vulnerability



Date Discovered

October 14, 2008


Microsoft Office is prone to a cross-site scripting vulnerability that arises because the software fails to handle specially crafted CDO protocol URIs in a proper manner. Successfully exploiting this issue may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Office XP Service Pack 3 is vulnerable.

Technologies Affected

  • Microsoft Office XP SP3


Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to detect and block attacks and anomalous activity such as requests containing suspicious network traffic.

Run all software as a nonprivileged user with minimal access rights.
If possible, running software as a user with least privileges possible can help mitigate the impact of exploit attempts against latent vulnerabilities in applications.

Set web browser security to disable the execution of script code or active content.
Since exploiting this issue requires the execution of malicious script code in web clients, consider disabling script code and active content support within a client browser as a way to prevent a successful exploit. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.

The vendor released an advisory along with fixes to address this issue. Please see the references for more information.



This issue was privately reported to Microsoft.

© 1995- Symantec Corporation

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from


The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.