Office Document Parsing Problems Cause a Predicament

Severity: High

13 September, 2011

Summary:

  • These vulnerabilities affect: Most current versions of Microsoft Office and its components, as well as Office SharePoint and Groove servers and products.
  • How an attacker exploits it: Typically by enticing one of your users to open a malicious Office document
  • Impact: In the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Install Microsoft Office updates as soon as possible, or let Microsoft’s automatic update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released three security bulletins describing flaws in Office and it’s components, as well as vulnerabilities in the Office SharePoint and Groove servers and products.

Two of the three bulletins describe seven document handling vulnerabilities found in Office and Excel for Windows or Mac. Though technically different, all of these document handling vulnerabilities share the same general scope and impact.  If an attacker can entice one of your users into downloading and opening a maliciously crafted Office document, he can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

According to Microsoft’s bulletins, an attacker can exploit these flaws using many different types of Office documents, including Excel, Word, and PowerPoint files. Also, some of these issues involve the insecure DLL loading vulnerability that Microsoft has contended with the past year. In those cases, an attacker would have to entice your user to open a document in the same location as a malicious DLL file; somewhat mitigating the risk of the attack.

If you’d like to learn more about the individual document handling flaws, drill into the “Vulnerability Details” section of the security bulletins listed below:

  • MS11-072: Five Excel Code Execution Vulnerabilities, rated Important
  • MS11-073: Two Office Code Execution Vulnerabilities, rated Important

Microsoft also released a security bulletin detailing six vulnerabilities affecting their SharePoint, Groove, and Forms products. Most of the six flaws are Cross-Site Scripting (XSS) vulnerabilities, which allow attackers to elevate their privileges. More specifically, the attacker might leverage these flaws to execute scripts, launch commands, or perform operations under the context of an authenticated SharePoint victim. Of course, the attacker would have to entice his victim into clicking a specially crafted link or URL for this sort of attack to succeed.

Solution Path

Microsoft has released patches for Office, and the SharePoint and Groove products, to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately, or let the Microsoft Automatic Update feature do it for you. For simplicity sake, we highly recommend letting Windows update select the updates you need if possible.

MS11-072:

Updates for:

MS11-073:

MS11-074:

Due to the complex selection of  update, we recommend you see the “Affected Software” section of Microsoft’s SharePoint and Groove bulletin to find the appropriate set of patches you need to apply. Better yet, Microsoft’s automatic update can apply the correct set of updates for you.

For All WatchGuard Users:

While you can configure certain WatchGuard Firebox models to block Microsoft Office documents, most organizations need to allow them in order to conduct business. Therefore, the patches above are your best recourse.

That said, if you want to block Office documents, you can use the HTTP, SMTP, and/or POP3 proxies to block documents by extension (such as .xls, .doc, .ppt, etc…). However, doing so blocks both malicious and legitimate file.

If you would like to use our proxies to block Office documents, follow the links below for instructions:

Status:

Microsoft has released Office updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

3 Responses to “Office Document Parsing Problems Cause a Predicament”

  1. Howdy! I just want to give an enormous thumbs up for the nice information youve got here on this
    post. I shall be coming back to your weblog for extra soon.

  2. Excellent post. I was checking continuously this blog and I am impressed!

    Very useful info specially the last part :) I care for such information much.
    I was seeking this particular info for a long time.
    Thank you and best of luck.

Trackbacks/Pingbacks

  1. Office Document Parsing Problems Cause a Predicament | microreksa - September 13, 2011

    [...] Office Document Parsing Problems Cause a Predicament [...]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 7,681 other followers

%d bloggers like this: