CVE-2008-3007

Name of the Vulnerable Software and Affected Versions Microsoft Office versions XP SP3, 2003 SP2 and SP3, 2007 Office System Gold and SP1, and Office OneNote 2007 Gold and SP1

Description A remote code execution issue exists in the way Microsoft Office handles specially crafted URLs using the onenote:// protocol handler. This could allow remote code execution if a user clicks a specially crafted OneNote URL. An attacker who successfully exploits this issue could take complete control of an affected system, allowing them to install programs, view, change, or delete data, or create new accounts with full user rights.

Recommendations For Microsoft Office versions XP SP3, 2003 SP2 and SP3, 2007 Office System Gold and SP1, and Office OneNote 2007 Gold and SP1, consider avoiding the use of the onenote:// protocol handler until a patch is available. As a temporary workaround, restrict access to specially crafted OneNote URLs to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.