Tag Archives: excel

Office Updates Include Patches for SharePoint Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office and related products like SharePoint Server
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents, or interacting with web resources
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix a number of vulnerabilities in Office, SharePoint, and related components. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS14-022: Multiple SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from both multiple remote code execution vulnerabilities and a cross-site scripting (XSS) flaw. The remote code execution flaws pose the most risk, and involve several unspecified input sanitation vulnerabilities in a number of SharePoint pages. If an authenticated attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges. Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. If you run SharePoint servers, you should patch this as quickly as you can.

Microsoft rating: Critical

  • MS14-023: Office Remote Code Execution Flaw

Various Office components suffer from two publicly reported vulnerabilities. The worst is a remote code execution flaw involving the way Office’s “Grammar Checker” feature loads Dynamic Link Libraries (DLL). However, the flaw only affects Grammar Checker when the language is set to Chinese (Simplified). If a remote attacker can convince you to open an Office document that resides in the same directory (local or over a network) as a malicious DLL, she could exploit this flaw to execute code with your privileges. If you have local administrative access, the attacker gains complete control of your computer. However, this flaw will likely primarily affect Chinese Office users, which somewhat limits its impact. Office also suffers from something call a “token reuse” flaw, but it poses a lesser risk that the remote code execution one.

Microsoft rating: Important

  • MS13-086 MCCOMCTL ASLR Bypass Vulnerabilities

Office (and many other Microsoft products) ships with a set of ActiveX controls that Microsoft calls the Windows Common Controls (MSCOMCTL.OCX). Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. Office’s MSCOMCTL component doesn’t enable ASLR protection. This means attackers can leverage this particular component to bypass Windows’ ASLR protection features. This flaw alone doesn’t allow an attacker to gain access to your Windows computer. Rather, it can help make other memory corruption vulnerabilities easier to exploit. This update fixes the ASLR bypass hole.

Microsoft rating: Important

Solution Path:

Microsoft has released Office and SharePoint-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of some of these vulnerabilities. Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Trio of Office Updates Fix SharePoint Flaw & ASLR Bypass

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office and related products, including SharePoint
  • How an attacker exploits them: Varies. Typically by enticing users to visit malicious web content or open Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix a like number of vulnerabilities in Microsoft Office and related products like SharePoint. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS13-100: SharePoint Code ExecutionVulnerability

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from an unspecified remote code execution flaw having to do with how it parses specially crafted page content. If an authenticated attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges.

Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. However, Microsoft assigns this particular flaw an Important severity rating, probably because the attacker needs valid SharePoint credentials to exploit it.

Microsoft rating: Important

  • MS13-104: Office Access Token Hijacking Flaw

When you login to an Office or Sharepoint server, the server verifies your credentials and then produces an access token, which allows you to continue accessing the server for a limited period of time. Office suffers from an unspecified flaw having to do with how it handles documents hosted on web sites. If an attacker can entice you into opening an Office document hosted on a malicious site, he could exploit this flaw to gain access to your access token, and then may be able to leverage that token to hijack your SharePoint of Office server sessions.

Microsoft rating: Important

Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. One of the shared components that ships with Office products doesn’t enable ASLR protection. This means attackers can leverage this particular component to bypass Windows’ ASLR protection features. This flaw alone doesn’t allow an attacker to gain access to your Windows computer. Rather, it can help make other memory corruption vulnerabilities easier to exploit. Since Internet Explorer (IE) loads this component, it’s particularly useful for attackers. This update fixes the ASLR bypass hole. If you’d like more details about this fix, and how it helps your overall Windows security, see this Microsoft blog post. Though Microsoft only gives this their medium severity rating, we recommend you apply the update quickly.

Microsoft rating: Important

As an aside, Microsoft also released a security bulletin (MS03-103) describing a flaw that primarily affects developers and organizations that specifically use the ASP.NET SignalR library. If you happen to use the ASP.NET SignalR library, do know it suffers from a relatively minor cross-site scripting (XSS) vulnerability, and you should update.

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of many of these vulnerabilities. For instance, you might use firewall policies to prevent external users from accessing your SharePoint server. Furthermore, Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Sharepoint, Excel, and Word Security Updates

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including SharePoint, Word, and Excel
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix five vulnerabilities in SharePoint, Word, and Excel, which are all part of Microsoft’s Office suite of products. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS13-084: Two SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from both a remote code execution and cross-site scripting (XSS) flaw. The remote code execution is the more severe issue, and involves a flaw in the way Sharepoint handles specially crafted Excel files (this flaw directly relates to an Excel flaw we describe below). If an attacker can entice you to open a specially crafted Excel file from a SharePoint server (or from the Office Services or Web Apps), he could leverage this flaw to execute code on your computer, with your privileges. If you’re an administrator, the attacker has total control of your machine.

These flaws also affect Excel Services, Word Automation Services, and various Office Web Apps.

Microsoft rating: Critical

  • MS13-085Two Excel Memory Corruption Vulnerabilities

Excel is the popular spreadsheet program that ships with Office. It suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted spreadsheets. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. One of these two Excel flaws is identical the the Excel-related flaw in Sharepoint. This flaw does not affect Excel 2003, but it does affect Excel for Mac

Microsoft rating: Important

  • MS13-086 Two Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office. It, like Excel, suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted Office documents. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects Word 2003 and 2007, not Word for Mac.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of some of these vulnerabilities. Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. For instance, our IPS signature team has developed signatures that can detect and block some of these attacks:

  • WEB Microsoft Parameter Injection Vulnerability (CVE-2013-3895)
  • EXPLOIT Microsoft Word Memory Corruption Vulnerability (CVE-2013-3891)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Install the IE Update First

If you follow the blog, you’re surely aware that today’s Microsoft Patch Day; and it’s an especially important one. Though it doesn’t set any records, Microsoft has released an update to fix a fairly significant, zero day Internet Explorer (IE) vulnerability, which many attackers have exploited in the wild for the past few weeks. If you can only apply one patch today, I recommend the IE one.

In their summary post, Microsoft shares details about eight security bulletins that fix 27 vulnerabilities in many of their popular products. They rate half the bulletins as Critical, and the other half as Important. Here’s the breakdown of affected products:

  • Internet Explorer (IE) [10 issues fixed]
  • Windows and its components [12 issues fixed]
  • Office products [5 issues fixed]
    • SharePoint Server
    • Word
    • Excel

If you use any of these products, you should update as soon as possible. As mentioned earlier, I recommend you install the IE update first; and try to get to it as quickly as you can. Though Microsoft previously released a FixIt for this issue (which I hope you’re running), it’s better to be safe than sorry. That said, don’t discount the other Critical updates. In general, I recommend you download, test and deploy all of Microsofts patches as soon as you can. For more details on today’s Patch Day, check out the October bulletin summary, or wait for our detailed alerts.

On the subject of patching, today is also Adobe patch day too. They’ve released updates to fix Reader, Acrobat, and Robohelp. I’d also recommend you install those updates (the Reader one likely affects most people) as soon as you can. You can learn more about Adobe’s updates on their security page, but I’ll release an alert about them later today.

We’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day.  — Corey Nachreiner, CISSP (@SecAdept)

Office Updates Fix SharePoint, Outlook, Word, and More

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including SharePoint, Outlook, Word, Excel, Access, FrontPage and other components
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released seven security bulletins that fix 26 vulnerabilities in a range of Microsoft Office products, including SharePoint, Outlook, Word, Excel, Access, FrontPage and an IME component. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS13-067: Multiple SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from a number of vulnerabilities, ranging from remote code execution flaws to a denial of service (DoS) condition. The worst vulnerability is an input validation flaw involving how SharePoint handles specially crafted content. If an attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges.

Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. In either case, Microsoft assigns this particular flaw their highest severity rating, so SharePoint administrators should patch as soon as possible, especially if you expose your services publicly.

These flaws also affect Excel Services, Word Automation Services, and various Office Web Apps.

Microsoft rating: Critical

  • MS13-068: Outlook S/MIME Code Execution Flaw

Outlook is the popular Windows email client that ships with Office. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for encrypting MIME data, or put more simply, it allows you to encrypt email. Outlook suffers from a code execution vulnerability involving the way it handles specially crafted S/MIME messages. An attacker could exploit this flaw to execute code on your computer simply by sending you a specially crafted email (though you’d have to open or preview the message first). The code runs with your privileges, and if your users have local administrator privileges, the attacker gains complete control of their PCs. This flaw sounds, and is, pretty severe with one small exception. Microsoft believes it is technically pretty difficult to exploit. Nonetheless, we recommend you apply the patch posthaste.

Microsoft rating: Critical

  • MS13-072 :  Ten Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office. It suffers from ten memory corruption vulnerabilities having to do with how it handles specially crafted Office documents. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects the Windows versions of Word and Word Viewer, not Word for Mac.

Microsoft rating: Important

  • MS13-073 Two Excel Memory Corruption Vulnerabilities

Excel is the popular spreadsheet program that ships with Office. It suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted spreadsheets. These flaws are essentially the same as the Word ones described above, but they affect Excel related documents. So in short, if an attacker tricks your into opening a malicious excel file, he can execute code as you. If you’re a local administrator, he has full control of your computer.  Again, the flaws only affects the Windows versions, not Mac ones.

Microsoft rating: Important

  • MS13-074 Three Access Memory Corruption Vulnerabilities

Access is the popular database program that ships with Office. It suffers from three memory corruption vulnerabilities having to do with how it handles specially crafted database files. These flaws are identical in scope and impact to the two above, only they affect Access files. If you open the wrong database, an attack can execute code as you.

Microsoft rating: Important

  • MS13-078: FrontPage Information Disclosure 

FrontPage is a WYSIWYG HTML editor for creating web sites, which ships with Office.  It suffers from an information disclosure. If an attacker can trick a FrontPage user into opening a specially crafted FrontPage document, she could exploit this flaw to read the contents of any file on that user’s computer (assuming they knew the location of a specific file).

Microsoft rating: Important

  • MS13-075 : Chinese IME Elevation of Privilege Vulnerability

Input Method Editors (IME) are optional components that allows Latin keyboard users to type non-Latin characters in Office or Windows. Unfortunately, the Office IME for Pinyin Chinese suffers from an elevation of privilege (EoP) vulnerability. If an attacker can gain local access to your computer using valid Windows credentials, he could run a specially crafted program that would give him full SYSTEM-level privileges on your computer. Of course, the attack only affects those who’ve specifically installed the Pinyin Chinese Office IME, and the attacker must have a valid login to exploit the issue.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of many of these vulnerabilities. For instance, you might use firewall policies to prevent external users from accessing your SharePoint server, or use the SMTP proxy to block messages containing S/MIME content (by blocking the application/pkcs7-mime MIME content type).

Furthermore, Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of these attacks:

  • EXPLOIT Microsoft SharePoint Denial of Service Vulnerability -1 (CVE-2013-0081)
  • EXPLOIT Microsoft SharePoint Denial of Service Vulnerability -2 (CVE-2013-0081)
  • EXPLOIT Microsoft Office Could Allow Remote Code Execution (CVE-2013-3850)
  • EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -1 (CVE-2013-3180)
  •  EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -2 (CVE-2013-3180)
  • EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -3 (CVE-2013-3180)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: The Largest Patch Day of 2013 (So Far)

Today’s Patch Day is the largest so far for 2013, with Microsoft releasing 13 security bulletins. While it doesn’t break any records (that Patch Day was probably the 17 bulletin one in April 2011), it’s still nothing to sneeze at. Here’s today’s patch break down.

Microsoft’s 13 bulletins fix around 47 security vulnerabilities affecting the following products:

  • Internet Explorer (IE)
  • Windows
  • many Office products
    • SharePoint Server
    • Outlook
    • Word
    • Excel
    • Access
    • FrontPage

Microsoft rates four of the bulletins as Critical, and the remaining ones Important. The impacts of these flaws range from remote code execution, elevation of privileges, information disclosure, and denial of service (DoS). For more details, check out the September bulletin summary, or wait for our detailed alerts.

At first glance, you might think the Critical Outlook bulletin is the most severe, and the first you should fix. I mean… gaining control of a user’s system simply by getting them to open an email sounds pretty horrible. However, Microsoft believes that this flaw is technically pretty difficult to exploit.

On the flip side, you might be less worried about the SharePoint issues, since you’d assume most organizations put SharePoint servers behind firewalls. Yet, as it turns out, many organizations provide public access to their SharePoint services allowing external employees easy access; some even disable authentication. My point being, I would apply the SharePoint patches first, assuming you manage SharePoint servers, but would still consider the Outlook update a close second (and don’t forget the Critical IE and Windows updates either).

We’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day. We’ve posted Microsoft’s update matrix below, for your convenience.  — Corey Nachreiner, CISSP (@SecAdept)

MS Patch Day: Sept. 2013

Microsoft Black Tuesday: Patch Windows Kernel-mode Driver and .NET First

Microsoft’s July Patch Day is live and ready for download, so go grab those updates. I recommend you work on the Windows Kernel-mode driver and .NET one’s first.

According to their summary post, Microsoft released seven security bulletins today, six of which they rate as Critical. The bulletins include updates to fix 36 vulnerabilities in many popular Microsoft products, including Windows, Internet Explorer (IE), Office, the .NET Framework, Silverlight, and Defender. Attackers are exploiting at least one of these flaws in the wild.

I always recommend you apply Microsoft’s Critical updates as soon as possible, but there are two in particular that you should jump on immediately. The first fixes vulnerabilities in Windows’ kernel-mode driver (MS13-053), which was disclosed awhile ago by a Google researcher. The researcher has already released proof of concept (PoC) code for this flaw, and Microsoft is aware of attackers leveraging it in targeted attacks. Next, you should also apply Microsoft’s .NET Framework and Silverlight patch quickly, since at least two of its flaws were disclosed in detail before today’s updates came out.

That’s not to say you should lax-off on the other updates. I think the IE patch is pretty important too; as are any updates Microsoft rates Critical. So I’d recommend you apply all six of the Critical updates today if you can. Of course, I still recommend you test Microsoft’s updates in a non-production  environment before pushing them to any critical production server. It may be ok to quickly patch client machines without testing, but you don’t want any surprises with your critical servers.

We’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day. We’ve posted Microsoft update matrix below, for your convenience.  — Corey Nachreiner, CISSP (@SecAdept)

Summary of July 2013 Microsoft Updates

Summary of July 2013 Microsoft Updates

Microsoft Black Tuesday: Security Flaws in a Menagerie of Products

Though today’s Patch Day might seem pretty average as far as the number of security bulletins released, it does cover a rather eclectic range of Microsoft products. In fact, a few of the updates affect Mac users as well, and one is even exclusive to Mac.

During today’s Patch Day, Microsoft released seven security bulletins fixing  20 vulnerabilities in the following products:

  •  Windows (all versions)
  • Internet Explorer (IE)
  • Office Suite updates
    • Visio Viewer 2010
    • SharePoint Server 2010
    • OneNote 2010
    • Office Outlook for Mac
  • Silverlight 5 (For PC and Mac)

They rate four of the bulletins as Critical, and three as Important. Many of the Critical issues can allow remote attackers to execute code on affected systems. So we highly recommend you patch them quickly.

We’ll share more details about today’s bulletins in upcoming alerts. Until then, feel free to check out Microsoft’s March bulletin summary.  — Corey Nachreiner, CISSP (@SecAdept)

Nasty RTFs Nudge Word Into Submission

Severity: High

Summary:

  • These vulnerabilities affect: Word (and Office) 2003 through 2010 for Windows (and related components)
  • How an attacker exploits it: By enticing one of your users to open a malicious RTF document
  • Impact: In the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Install Microsoft’s Word update as soon as possible, or let Microsoft’s automatic update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing a serious security vulnerability in the Windows version of Word — part of Microsoft Office package. The flaw doesn’t affect the Mac versions, but does affect the Word viewer and Office Compatibility Packs.

The vulnerability stems from an unspecified memory corruption fkaw having to do with how Word handles rich text format (RTF) documents. If an attacker can entice one of your users into downloading and opening a maliciously crafted RTF document, he can exploit the flaw to execute code on that user’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Solution Path

Microsoft has released Word and Office updates to correct these vulnerabilities. If you use Office or Word, download, test, and deploy the appropriate updates as quickly as possible, or let Windows Update do it for you.

You’ll find links to these updates in the “Affected and Non-Affected Software” section for of Microsoft’s Word bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed a signature, which detects and blocks this Word RTF vulnerability:

  • EXPLOIT Microsoft Word RTF listoverridecount Remote Code Execution Vulnerability (CVE-2012-2539)

Your appliance should get this new IPS update shortly.

You can also configure WatchGuard devices to block RTF documents. However, this will block all RTFs, whether legitimate or malicious. If you decide you want to block them, the links below contain instructions that will help you configure proxy’s content blocking features for your device:

Status:

Microsoft has released Word updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Four Critical Spreadsheet Handling Flaws in Excel

Severity: Medium

Summary:

  • These vulnerabilities affect: Excel (and Office) 2003 through 2010 for Mac and PC (and related components)
  • How an attacker exploits it: By enticing one of your users to open a malicious Excel document
  • Impact: In the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Install Microsoft’s Excel updates as soon as possible, or let Microsoft’s automatic update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing four vulnerabilities found in Excel — part of Microsoft Office for Windows and Mac. The flaws also affect the Excel viewer and Office Compatibility Package.

Though the four vulnerabilities differ technically, they are all memory corruption issues which share the same scope and impact. If an attacker can entice one of your users into downloading and opening a maliciously crafted Excel document, he can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Solution Path

Microsoft has released Excel and Office updates to correct these vulnerabilities. If you use Office or Excel on a PC or Mac, download, test, and deploy the appropriate updates as quickly as possible, or let Windows Update do it for you.

You’ll find links to these updates in the “Affected and Non-Affected Software” section for of Microsoft’s Excel security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed four signatures, which can detect and block these new Excel file handling vulnerabilities:

  • EXPLOIT Microsoft Excel SST Invalid Length Use After Free Vulnerability (CVE-2012-1887)
  • EXPLOIT Microsoft Excel Memory Corruption Vulnerability (CVE-2012-1886)
  • EXPLOIT Microsoft Excel SerAuxErrBar Heap Overflow Vulnerability (CVE-2012-1885)
  • EXPLOIT Microsoft Excel Stack Overflow Vulnerability (CVE-2012-2543)

Your appliance should get this new IPS update shortly.

You can also configure certain WatchGuard devices to block Microsoft Excel documents. However, this will block all Excel documents, whether legitimate or malicious. If you decide you want to block Excel files, the links below contain instructions that will help you configure proxy’s content blocking features for your device:

Status:

Microsoft has released Excel updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Follow

Get every new post delivered to your Inbox.

Join 7,678 other followers

%d bloggers like this: