¡à °³¿ä
o À¥¿¡¼ Â÷Æ®, µ¥ÀÌÅͺ£À̽º, ¿¢¼¿ ½ºÇÁ·¹µå ½ÃÆ®¸¦ º¸¿©ÁÖ±â À§ÇÏ¿© »ç¿ëµÇ´Â MS Office Web
Componets ActiveX ÄÁÆ®·Ñ¿¡ ¿ø°Ý ÄÚµå ½ÇÇà Ãë¾àÁ¡ÀÌ Á¸ÀçÇÔ[1,2]
o ÇöÀç ÇØ´ç Ãë¾àÁ¡À» ÅëÇØ °ø°ÝÇÏ´Â »ç·Ê°¡ ¹ß°ßµÇ°í ÀÖÀ¸¹Ç·Î »ç¿ëÀÚ´Â ½Å·ÚÇÒ ¼ö ¾ø´Â »çÀÌÆ®ÀÇ
¹æ¹®À» ÀÚÁ¦ÇÏ°í ÇØ´ç ActiveX ÄÁÆ®·ÑÀ» »ç¿ëÇÒ ¼ö ¾øµµ·Ï ¼³Á¤
¡à ¼³¸í
o ¸¶ÀÌÅ©·Î¼ÒÇÁÆ®Þä´Â º» Ãë¾àÁ¡¿¡ ´ëÇØ º¸¾È ±Ç°í¹®(Security Advisory)À» ¹ßÇ¥ÇÔ [1]
o MS Office Web Component ActiveX ÄÁÆ®·Ñ(OWC10.dll, OWC11.dll)ÀÌ Æ¯Á¤ °ªÀ» ó¸®ÇÏ´Â
°úÁ¤¿¡¼ ¸Þ¸ð¸® ¼Õ»ó ¿À·ù¸¦ ¹ß»ý½ÃÅ°°í ¿ø°ÝÄÚµå½ÇÇàÀ¸·Î ¿¬°èµÇ´Â Ãë¾àÁ¡ÀÓ[2]
o °ø°ÝÀÚ´Â ¾ÇÀÇÀûÀÎ À¥ »çÀÌÆ®¿¡ »ç¿ëÀÚ°¡ Á¢¼ÓÇϵµ·Ï À¯µµÇÏ¿© ½Ã½ºÅÛ¿¡ ¾Ç¼ºÄڵ带 ¼³Ä¡Çϰųª,
ÀÓÀÇÀÇ ¸í·ÉÀ» ½ÇÇàÇÒ ¼ö ÀÖÀ½
¡Ø °ü·Ã CLSID : {0002E541-0000-0000-C000-000000000046}
{0002E559-0000-0000-C000-000000000046}
¡Ø °ü·Ã CVE : CVE-2009-1136 [5]
¡à ¿µÇâ ¹Þ´Â ½Ã½ºÅÛ
o ¿µÇâ ¹Þ´Â ¼ÒÇÁÆ®¿þ¾î
- Microsoft Office XP Service Pack 3
- Microsoft Office 2003 Service Pack 3
- Microsoft Office XP Web Components Service Pack 3
- Microsoft Office 2003 Web Components Service Pack 3
- Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1
- Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3
- Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3
- Microsoft Internet Security and Acceleration Server 2006
- Internet Security and Acceleration Server 2006 Supportability Update
- Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
- Microsoft Office Small Business Accounting 2006
¡à ÇØ°á ¹æ¾È
o ÇöÀç ÇØ´ç Ãë¾àÁ¡¿¡ ´ëÇÑ º¸¾È¾÷µ¥ÀÌÆ®´Â ¹ßÇ¥µÇÁö ¾Ê¾ÒÀ½
o Àӽà ÇØ°á¹æ¾È Àû¿ë [3]
- Microsoft ±â¼ú ÀÚ·á ¹®¼[3]¿¡ "ÇØ°á Áö¿ø" ¼½¼ÇÀÇ "ÇØ°á ¹æ¹ý »ç¿ë" ¾Æ·¡ ¸µÅ©¸¦ Ŭ¸¯ÇÏ¿©
ÆÄÀÏ ´Ù¿î·Îµå ÈÄ ¼³Ä¡
¡Ø ¿ø»óÅ·Πº¹±¸Çϱâ À§Çؼ´Â "ÇØ°á ¹æ¹ý »ç¿ë ¾È ÇÔ"À» Àû¿ë
o KrCERT/CC¿Í MSº¸¾È ¾÷µ¥ÀÌÆ® »çÀÌÆ®[4]¸¦ ÁÖ±âÀûÀ¸·Î È®ÀÎÇÏ¿© ÇØ´ç Ãë¾àÁ¡¿¡ ´ëÇÑ º¸¾È
¾÷µ¥ÀÌÆ® ¹ßÇ¥ ½Ã ½Å¼ÓÈ÷ ÃֽŠ¾÷µ¥ÀÌÆ®¸¦ Àû¿ëÇϰųª ÀÚµ¿ ¾÷µ¥ÀÌÆ®¸¦ ¼³Á¤
¡Ø ÀÚµ¿¾÷µ¥ÀÌÆ® ¼³Á¤ ¹æ¹ý: ½ÃÀÛ¡æÁ¦¾îÆǡ溸¾È¼¾ÅÍ¡æÀÚµ¿¾÷µ¥ÀÌÆ®¡æÀÚµ¿(±ÇÀå) ¼±ÅÃ
o Ãë¾àÁ¡¿¡ ÀÇÇÑ ÇÇÇظ¦ ÁÙÀ̱â À§ÇÏ¿© »ç¿ëÀÚ´Â ´ÙÀ½°ú °°Àº »çÇ×À» ÁؼöÇؾßÇÔ
- »ç¿ëÇÏ°í ÀÖ´Â ¹é½ÅÇÁ·Î±×·¥ÀÇ ÃֽŠ¾÷µ¥ÀÌÆ®¸¦ À¯ÁöÇÏ°í, ½Ç½Ã°£ °¨½Ã±â´ÉÀ» È°¼ºÈ
- ½Å·ÚµÇÁö ¾Ê´Â À¥ »çÀÌÆ®ÀÇ ¹æ¹® ÀÚÁ¦
- Ãâó¸¦ ¾Ë ¼ö ¾ø´Â ¸µÅ©¸¦ ¹æ¹®ÇÏÁö ¾Êµµ·Ï ÇÔ
¡à ¿ë¾î ¼³¸í
o ActiveX : ÀÏ¹Ý ÀÀ¿ëÇÁ·Î±×·¥°ú À¥ »çÀÌÆ®¸¦ ¿¬°áÇÏ¿© ÀÎÅ;×ƼºêÇÑ À¥ ¼ºñ½º¸¦ Á¦°øÇÏ´Â ±â¼ú
¡à ÂüÁ¶ »çÀÌÆ®
[1] http://www.microsoft.com/technet/security/advisory/973472.mspx
[2] http://www.vupen.com/english/advisories/2009/1867
[3] http://support.microsoft.com/kb/973472
[4] http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=ko
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1136
|
|
|
