CVE-2009-1534

Microsoft Office Web Components - Remote Code Execution via Crafted Property Values

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-1534. PoCs published by Metasploit, jduck, including Metasploit module exploits/windows/browser/ms09_043_owc_htmlurl.

AI-analyzed exploit summary This is a Metasploit module exploiting a buffer overflow in Microsoft Office Web Components via an overly long 'HTMLURL' parameter. It achieves remote code execution by leveraging SEH overwrites and is designed for Windows XP SP3 with IE6 and Office XP.

Description

Buffer overflow in the Office Web Components ActiveX Control in Microsoft Office XP SP3, Office 2000 Web Components SP3, Office XP Web Components SP3, BizTalk Server 2002, and Visual Studio .NET 2003 SP1 allows remote attackers to execute arbitrary code via crafted property values, aka "Office Web Components Buffer Overflow Vulnerability."

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16542

This is a Metasploit module exploiting a buffer overflow in Microsoft Office Web Components via an overly long 'HTMLURL' parameter. It achieves remote code execution by leveraging SEH overwrites and is designed for Windows XP SP3 with IE6 and Office XP.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Office Web Components (OWC) Spreadsheet ActiveX Control (versions 9 and 10)
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit · Target system must have vulnerable OWC ActiveX control installed and enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by jduck · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms09_043_owc_htmlurl.rb

This Metasploit module exploits a buffer overflow in Microsoft Office Web Components (OWC) via an overly long 'HTMLURL' parameter, leading to arbitrary code execution. It uses SEH overwrites and targets specific versions of Windows XP, IE6, and Office XP.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Office Web Components (OWC) Spreadsheet ActiveX Control (versions 9 and 10)
No auth needed
Prerequisites: Victim must visit a malicious webpage hosting the exploit · Target system must have vulnerable OWC ActiveX control installed and enabled
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (6)

Core 6
Core References
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-223A.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/56916
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6326
Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/35992
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1022708

Scores

EPSS 0.5161
EPSS Percentile 98.8%

Details

CWE
CWE-119
Status published
Products (8)
microsoft/isa_server 2004 sp3 (2 CPE variants)
microsoft/isa_server 2006 sp1 (2 CPE variants)
microsoft/office
microsoft/office 2003 sp3
microsoft/office xp sp3
microsoft/office_web_components 2000 sp3
microsoft/office_web_components 2003 sp1 (2 CPE variants)
microsoft/office_web_components xp sp3
Published Aug 12, 2009
Tracked Since Feb 18, 2026