Here is a PDF of the risk assessment and review of this emerging vulnerability. Please check it out if you are working on mitigating this issue.
While the corporate risk is identified as an overall medium, there is a high risk of workstation infection from this problem.
Check out the document here.
Vuln RA 071409 – MS Web Office 0-day
If you would like to follow the emerging threat, the SANS Internet Storm Center is the best place to get current news about the outbreaks and exploitation. You can also follow me (@lbhuston) on Twitter for more information as it comes in.
UPDATES:
7/14 – 2:17pm Eastern –
SANS has gone back to green status and is posting that they hope awareness has been raised.
Nick Brown wrote in to tell us that the exploit in MetaSploit is easy to use and very effective against most XP workstations. He also warns home users to be on the lookout as this is very likely to turn into a worm or automated bot-net attack very soon. He agreed that the MetaSploit exploit is unlikely to affect servers as we expressed in our assessment. Lastly, he wanted us to remind everyone that using the kill bits, REQUIRES A REBOOT OF THE SYSTEM BEFORE IT IS IMMUNE.
Adam Hostetler also found this site, which has some interesting ways of identifying vulnerable hosts: http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx
We have scheduled a FLASH Campfire chat for a threat update and discussion at 4pm Eastern today. The URL for that chat is: https://microsolved.campfirenow.com/ccf03
Thanks for reading and for all of the excellent feedback!
Update2: Here is the transcript from the public chat. Thanks to all who attended. Hopefully, it will be helpful for folks who are working on the issue.