CVE-2009-1136

EXPLOITED IN THE WILD

Microsoft Office Web Components Spreadsheet ActiveX Control - Remote Code Execution via msDataSourceObject Method

Title source: llm

Exploitation Summary

CVE-2009-1136 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 3 public exploits from researchers including Metasploit, anonymous, unknown, hdm, Ahmed Obied, including a Metasploit module exploits/windows/browser/ms09_043_owc_msdso.

AI-analyzed exploit summary This exploit targets a memory corruption vulnerability in Microsoft Office Web Components (OWC) Spreadsheet ActiveX controls (versions 10 and 11). It leverages JavaScript to trigger the vulnerability via heap spraying and ActiveX manipulation, leading to remote code execution.

Description

The Microsoft Office Web Components Spreadsheet ActiveX control (aka OWC10 or OWC11), as distributed in Office XP SP3 and Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 Gold and SP1, and Office Small Business Accounting 2006, when used in Internet Explorer, allows remote attackers to execute arbitrary code via a crafted call to the msDataSourceObject method, as exploited in the wild in July and August 2009, aka "Office Web Components HTML Script Vulnerability."

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/16537

View Code ZIP pw:eip

This exploit targets a memory corruption vulnerability in Microsoft Office Web Components (OWC) Spreadsheet ActiveX controls (versions 10 and 11). It leverages JavaScript to trigger the vulnerability via heap spraying and ActiveX manipulation, leading to remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Office Web Components (OWC) Spreadsheet ActiveX (OWC10.Spreadsheet, OWC11.Spreadsheet)

No auth needed

Prerequisites: Target must have vulnerable OWC ActiveX control installed · Target must visit a malicious webpage or be redirected to it

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by anonymous · textdoswindows

https://www.exploit-db.com/exploits/9163

View Code ZIP pw:eip

This exploit targets a vulnerability in the OWC10.Spreadsheet ActiveX control (CVE-2009-1136) by triggering a heap overflow via crafted JavaScript. The shellcode is executed through memory corruption, leading to arbitrary code execution.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Office Web Components (OWC10.Spreadsheet)

No auth needed

Prerequisites: Victim must visit a malicious webpage · OWC10.Spreadsheet ActiveX control must be installed and enabled

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

by unknown, hdm, Ahmed Obied · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms09_043_owc_msdso.rb

View Code ZIP pw:eip

This Metasploit module exploits a memory corruption vulnerability in Microsoft Office Web Components (OWC) Spreadsheet ActiveX controls (versions 10 and 11) via a crafted JavaScript payload. It leverages the msDataSourceObject method to trigger the vulnerability, leading to remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Office Web Components (OWC) Spreadsheet ActiveX (OWC10.Spreadsheet, OWC11.Spreadsheet)

No auth needed

Prerequisites: Victim must visit a malicious webpage or open a malicious HTML file · ActiveX controls must be enabled in the browser

MITRE ATT&CK