Tag Archives: microsoft office

Office Updates Fix Word 0day and Publisher Flaw

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Word, Publisher, and Office Web Apps
  • How an attacker exploits them: Typically by luring your users into opening malicious Office documents
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released two Office-related security bulletins describing four vulnerabilities found in various Office and Office-related packages including the Word (for Windows and Mac), Publisher, and Office Web Apps. We summarize the bulletins below:

  • MS14-017: Multiple Word Code Execution Vulnerabilities

Word is the popular word processor that ships with Office.  It suffers from three remote code execution vulnerabilities having to do with how it handles malformed Word and RTF files. They all differ technically, but share the same scope and impact. By luring one of your users into downloading and opening a malicious document, an attacker can exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. If your users have local administrator privileges, the attacker gains complete control of their PCs. This update includes the final fix for a zero day Word RTF vulnerability we mentioned in a previous alert. Since attackers have been exploiting that vulnerability in the wild, Microsoft assigns this a critical severity rating.

Microsoft rating: Critical

  • MS14-020: Multiple SharePoint Vulnerabilities

Publisher is Microsoft’s basic desktop publishing and layout program, and part of the Office suite. It suffers from a memory corruption vulnerability that attackers can leverage to execute code. By luring one of your users into downloading and opening a malicious Publisher document, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. Again, if your users have local administrator privileges, the attacker gains complete control of their PCs. However, the flaw only affects Publisher 2003 and 2007 (not 2010 or 2013)

Microsoft rating: Important

Solution Path

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. You can also leverage WatchGuard’s proxy policies to block certain types of documents, such as Publisher files or RTF documents. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

SharePoint Suffers from XSS and Information Disclosure Flaws

Summary:

  • These vulnerabilities affect: SharePoint Server, Groove Server, Office Web Apps, and InfoPath 2010, which are all part of Microsoft’s Office family products
  • How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious link, or by visiting a specific address on a vulnerable server
  • Impact: In the worst case, an attacker can elevate their privileges, gaining the ability to do anything the victim can on the affected server.
  • What to do: Install the appropriate updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released two Office-related  security bulletins describing vulnerabilities found in SharePoint, SharePoint Foundation, Groove, Office Web Apps, and InfoPath — all part of Microsoft’s Office family of products. Microsoft rates both bulletins as Important. We summarize them below:

  • MS13-030:  SharePoint Information Disclosure Flaw

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint Server 2013 does not apply the proper access controls to a SharePoint list, which means any SharePoint user can gain access to items in the list, even if the list owner did not intend that user to have access. However, in order to exploit this flaw, the attacker needs valid credentials on your SharePoint Server, and needs to know the specific URL address for the Sharepoint list in question. These factors significantly mitigate this vulnerability, limiting it primarily to an internal risk

Microsoft rating: Important.

  • MS13-035SharePoint and Office server XSS Vulnerability

SharePoint (and other Office-related servers like InfoPack and Groove) also suffer from an unspecified Cross-Site Scripting vulnerability (XSS) that could allow an attacker to elevate his privileges. By enticing one of your users to click a specially crafted link, an attacker could exploit this flaw to gain that user’s privilege on your SharePoint server. This means the attacker could view or change all the documents which that user could. These flaws only affect the 2010 versions of these Office servers.

Microsoft rating: Important

Solution Path

Microsoft has released patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate ones as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

WatchGuard’s Intrusion Prevention services can sometimes prevent web application attacks like the XSS one described today. For instance, our IPS signature team has developed a new signature that can detect and block the “HTML Sanitizarion” XSS attack affecting Sharepoint and other Office-related servers:

  • WEB-CLIENT Microsoft IE HTML Sanitization Vulnerability (CVE-2013-1289)

Your XTM appliance should get this new IPS update shortly. Nonetheless, attackers can still exploit these flaws locally, so we still recommend you install Microsoft’s updates.

Status:

Microsoft has released SharePoint and Visio updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Four Office-related Updates Fix Productivity Software Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Visio Viewer 2010, SharePoint Server 2010, OneNote 2010, and Outlook for Mac
  • How an attacker exploits them: Multiple vectors of attack, including luring your users into opening malicious Office documents, or into visiting malicious URLs
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing vulnerabilities in some of their Office-related productivity packages,  including Visio Viewer, SharePoint, OneNote, and Outlook for Mac. We summarize the four security bulletins below, in order of severity:

  • MS13-023: Visio Viewer Code Execution Vulnerability

Microsoft Visio is a popular diagramming program, which many network administrators use to create network diagrams. Visio Viewer is a free program that anyone can use to view those diagrams. Visio Viewer suffers from a memory-related code execution vulnerability, having to do with the way it handles specially crafted Visio diagrams. If an attacker can entice one of your users into downloading and opening a maliciously crafted Visio document, he can exploit this vulnerability to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. This flaw only affects the 2010 version of Visio Viewer.

Microsoft rating: Critical

  • MS13-024: Various SharePoint Vulnerabilities

SharePoint and SharePoint Foundation are Microsoft’s web and document collaboration and management platforms. They suffer from four different security issues, including a few elevation of privilege flaws, a Cross-Site Scripting vulnerability (XSS), and a Denial of Service (DoS) issue. By either enticing one of your users into clicking a malicious URL, or by inputting a specially crafted URL into a vulnerable SharePoint server, an attacker could exploit the worst of these flaws to gain elevated access to your SharePoint server, allowing him to view or change the documents your user could. These flaws only affect the latest 2010 version of SharePoint.

Microsoft rating: Critical.

  • MS13-025: OneNote 2010 Information Disclosure Flaw

Microsoft OneNote is a digital notebook that provides you a place to easily take notes on your digital device. It ships with most recent versions of Office. OneNote suffers from an information disclosure flaw. If an attacker can entice one of your users into downloading and opening a maliciously crafted OneNote (.ONE) file, she can leverage this flaw to read arbitrary data from your computer’s memory. Depending on what you are doing on your computer at the time, this flaw could allow the attacker to gain access to some of your sensitive information, including usernames and passwords. The issue only affects the 2010 version of OneNote.

Microsoft rating: Important

  • MS13-026: Outlook for Mac Information Disclosure Flaw

Outlook for Mac (the Apple OS X version of Microsoft’s email client) suffers from a relatively minor information disclosure vulnerability having to do with how it previews certain HTML email messages. If an attacker can lure you into opening a specially crafted HTML email, they can verify your email address is accurate and confirm you previewed the message. At best, this vulnerability may help attackers enumerate valid email addresses for later use in their spam and phishing attacks. However, it does not give attackers any further access to your email messages or computer. For that reason, we believe it poses a fairly low risk.

Microsoft rating: Important

Solution Path

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

Attackers can exploit these vulnerabilities using diverse methods. Though you can configure WatchGuard appliances to block some of the Office documents related to a few of these attacks, and you can leverage our security services to mitigate the risk of malware delivered via these attacks, we cannot protect you against all of them; especially the local ones. We recommend you apply Microsoft’s patches to best protect your network.

That said, our IPS signature team has developed new signatures that can detect and block some of the SharePoint attacks:

  • WEB Microsoft SharePoint Server Callback Function Vulnerability (CVE-2013-0080)
  • WEB Microsoft SharePoint XSS Vulnerability (CVE-2013-0083)
  • WEB Microsoft Share Point Directory Traversal Vulnerability -1 (CVE-2013-0084)
  • WEB Microsoft Share Point Directory Traversal Vulnerability -2 (CVE-2013-0084)
  • WEB Microsoft Share Point Directory Traversal Vulnerability -3 (CVE-2013-0084)

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

One Critical and Two Important Microsoft Office Updates

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office, Visio, SQL Server, Commerce Server, Host Integration Server 2004, Visual FoxPro, and Visual Basic 6.0 Runtime
  • How an attacker exploits them: Multiple vectors of attack, including luring your users into opening malicious Office documents, or into visiting web sites with malicious content
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released three Office-related security bulletins describing vulnerabilities found in Microsoft Office, Visio, and other productivity-related software. They rate one of the updates as Critical and the others as Important.

Besides affecting Office, the Critical update also affects:

  • SQL Server (most versions)
  • Commerce Server (all versions)
  • Host Integration Server 2004
  • Visual FoxPro
  • Visual Basic Runtime

We summarize the three bulletins below:

  • MS12-060: Common Controls Remote Code Execution Vulnerability

Office (and many other Microsoft products listed above) ships with a set of ActiveX controls that Microsoft calls the Windows Common Controls (MSCOMCTL.OCX). One of the ActiveX controls in this library suffers from an unspecified remote code execution vulnerability. By enticing one of your users to visit a malicious web page, or into clicking a specially crafted link, an attacker could exploit this flaw to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of his machine. Microsoft’s update sets the kill bit for the vulnerable ActiveX control.

According to Microsoft, attackers are exploiting this vulnerability in the wild, in “limited targeted” attacks. This significantly increases the risk of this already serious vulnerability. You should apply this update immediately.

Microsoft rating: Critical.

  • MS12-057: CGM File Memory Corruption Vulnerability 

Computer Graphics Metafiles (CGM) are text-based file representations of 2D vector or raster graphics. Though few people actually use CGM files today, Microsoft Office still supports this legacy file type.

According to the bulletin, Office suffers from an unspecified memory corruption vulnerability involving the way it handles CGM files. By enticing one of your users into opening a CGM file, or into opening an Office document containing an embedded CGM file, an attacker can exploit this flaw to execute code on that user’s computer, with the user’s privileges. If your users have local administrative rights, the attacker gains complete control of the computer.

Microsoft rating: Important

  • MS12-059: Visio DXF Buffer Overflow Vulnerability

Microsoft Visio is a popular diagramming program, which many network administrators use to create network diagrams. Visio Viewer is a free program that anyone can use to view those diagrams.

Visio and Visio Viewer suffer from a buffer overflow vulnerability involving the way they handle a specific type of specially crafted Visio document, called a DXF file. If an attacker can entice one of your users into downloading and opening a maliciously crafted DXF file, he can exploit this flaw to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. This flaw only affects Visio and Visio Viewer 2010.

Microsoft rating: Important

Solution Path

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

Many of WatchGuard’s security appliances can help mitigate the risk of some of these attacks. For instance, you can configure WatchGuard appliances to block the Office documents related to a few of these attacks (such as DOC, XLS, and DXF files) and you can leverage our security services to mitigate the risk of malware delivered via these attacks.

However, most administrators prefer to allow Office documents into their network, and our appliances cannot protect you against all avenues attacks, especially local ones. So we still recommend you apply Microsoft’s patches to best protect your network.

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Office Patches Mend SharePoint, Visual Basic, and Mac Specific Flaws

Severity: Medium

Summary:

  • These vulnerabilities affect: Microsoft Office (for PC and Mac), the SharePoint suite of products, and Visual Basic
  • How an attacker exploits them: Multiple vectors of attack, including luring your users into opening malicious Office documents, or into visiting web sites with malicious content
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released three Office-related security bulletins describing eight vulnerabilities found in various Office and Office-related packages including the SharePoint suite of products, Office for Mac, and Visual Basic. We summarize the bulletins below:

  • MS12-046: VBA Insecure Library Loading Vulnerability 

Microsoft Visual Basic for Applications (VBA) is a development platform that ships with Office, and helps you create new applications that integrate with existing Office applications and data systems. It suffers from a Dynamic Link Library (DLL) loading class vulnerability, which we’ve described in many previous Microsoft alerts. In a nutshell, this class of flaw involves an attacker enticing one of your users into opening some sort of booby-trapped file from the same location as a maliciously crafted DLL file. If you open the booby-trapped file, it executes code in the malicious DLL file with your privileges. If you have local administrative privileges, the attacker could exploit this type of issue to gain complete control of your computer. In this particular case, the vulnerability is triggered by opening Office documents, such as .docx or xlsx.

Microsoft rating: Important

  • MS12-050: Multiple SharePoint Vulnerabilities

SharePoint is Microsoft’s web and document collaboration and management platform. SharePoint, and other related packages, suffer from six new security flaws, including three Cross-Site Scripting vulnerabilities (XSS) that could allow an attacker to elevate his privileges. By enticing one of your users to visit a malicious web page or into clicking a specially crafted link, an attacker could exploit any of the three XSS flaws to gain that user’s privilege on your SharePoint server. This means the attacker could view or change all the documents which that user could. The remaining issues include two information disclosure flaws and a URL redirection vulnerability attackers could leverage in spoofing attacks. See the “Vulnerability Information” security of the bulletin for more details.

Microsoft rating: Important

  • MS12-051: Office for Mac Elevation of Privilege Flaw

Office for Mac 2011 (the Apple OS X version of Microsoft’s productivity software) suffers from a vulnerability involving the way it sets folder permissions. If an attacker can gain physical access to your computer, plant a malicious executable in an Office folder, and then entice you to run it, the executable launches with your elevated privileges. Of course, if an attacker already has enough access to your computer to do all this, you already have significant problems. This flaw only poses a marginal risk.

Microsoft rating: Important

Solution Path

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

Attackers can exploit these vulnerabilities using diverse methods, including by placing files locally. Though you can configure WatchGuard appliances to block some of the Office documents related to a few of these attacks, and you can leverage our security services to mitigate the risk of malware delivered via these attacks, we cannot protect you against all these attacks, especially the local ones. We recommend you apply Microsoft’s patches to best protect your network.

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Multiple Office Security Updates: One Affects Other Server Products

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office, Works, SQL Server, BizTalk Server 2002, Commerce Server, Visual FoxPro, and Visual Basic 6.0 Runtime
  • How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web site or link, and enticing them to open malicious Works files
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Microsoft Updates immediately, or let Windows Update do it for you.

Exposure:

Today, Microsoft released two Office-related security bulletins describing vulnerabilities found in Microsoft Office, and other productivity-related software. They rate one of the updates as Critical and the other as Important. Besides affecting Office, the Critical update also affects:

  • SQL Server (most versions)
  • BizTalk Server 2002
  • Commerce Server (all versions)
  • Visual FoxPro
  • Visual Basic Runtime

We summarize the two bulletins below:

  • MS12-027: Common Controls Remote Code Execution Vulnerability

Office (and many other Microsoft products listed above) ships with a set of ActiveX controls that Microsoft calls the Windows Common Controls (MSCOMCTL.OCX). Three of the controls in this ActiveX library suffer from an unspecified remote code execution vulnerability. By enticing one of your users to visit a malicious web page, or into clicking a specially crafted link, an attacker could exploit the flaw in these controls to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of his machine. Microsoft’s update sets the kill bit for the vulnerable ActiveX controls.  According to Microsoft, attackers are exploiting this vulnerability in the wild, in “limited targeted” attacks. This significantly increases the risk of this already serious vulnerability. You should apply this update immediately.

Microsoft rating: Critical.

  • MS12-028: Works Converter Document Parsing Vulnerability

Microsoft Works is a light-weight office productivity package similar to Microsoft Office, though with fewer features and capabilities. Microsoft Office and newer versions of Works ship with a Works converter component, which allows these products to open various Works documents. This Works converter suffers from a vulnerability involving the way it validates and parses Works .wps files. If an attacker can entice one of your users into downloading and opening a maliciously crafted .wps document, he can exploit this flaw to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. This flaw only affects Office 2007 w/SP2 and Works 9.

Microsoft rating: Important

Solution Path

Microsoft has released many product updates that correct these vulnerabilities. If you use any of the software mentioned in this alert, you should download, test, and deploy the appropriate patches as quickly as possible, or let Windows Update automatically install them for you.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

If you choose, you can configure the HTTP, SMTP, and FTP proxies on your XTM appliance to block Microsoft Works documents from entering your network, thus mitigating the risk of one these issues. Keep in mind, doing so blocks both legitimate and malicious Works files. If your business regularly transfers Works files outside your network, you may not want to block them with our appliance.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexadecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify the affected Works document (.wps):

File Extensions:

  • .wps – Works document

MIME types:

  • application/vnd.ms-works
  • application/x-msworks-wp
  • zz-application/zz-winassoc-wps

FILExt.com reported Magic Byte Pattern:

  • Hex: D0 CF 11 E0 A1 B1 1A E1 00

If you do decide you want to block Works files, the links below contain instructions that will help you configure your WatchGuard appliance’s content blocking features using the file and MIME information listed above.

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Microsoft Office Updates Correct Sharepoint and Visio Flaws

Summary:

  • These vulnerabilities affect: SharePoint, SharePoint Foundation, and Visio Viewer 2010, which are all part of Microsoft’s Office suite of products
  • How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web site or link, and enticing them to open malicious Visio files
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate SharePoint and Visio patches as soon as you can, or let Windows Update do it for you.

Exposure:

Yesterday, Microsoft released two Office-related  security bulletins describing eight vulnerabilities found in SharePoint, SharePoint Foundation, and Visio Viewer 2010 — all part of Microsoft’s Office suite of products. Microsoft rates both bulletins as Important. We summarize the bulletins below:

  • MS12-011: Three SharePoint XSS Vulnerabilities

SharePoint and SharePoint Foundation are Microsoft’s web and document collaboration and management platforms. They both suffer from three  Cross-Site Scripting vulnerabilities (XSS) that could allow an attacker to elevate his privileges. By enticing one of your users to visit a malicious web page or into clicking a specially crafted link, an attacker could exploit any of these flaws to gain that user’s privilege on your SharePoint server. This means the attacker could view or change all the documents which that user could. These flaws only affect the latest 2010 version of SharePoint.

Microsoft rating: Important.

  • MS12-015: Five Visio Viewer Memory Corruption Vulnerabilities

Microsoft Visio is a popular diagramming program, which many network administrators use to create network diagrams.  Visio Viewer is a free program that anyone can use to view those diagrams. Visio Viewer suffers from five code execution vulnerabilities, all involving the way it handles specially crafted Visio documents. Though the flaws differ technically, they share the same scope and impact. If an attacker can entice one of your users into downloading and opening a maliciously crafted Visio document, he can exploit any of these vulnerabilities to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. These flaws only affect Visio Viewer 2010, not the commercial Visio product.

Microsoft rating: Important

Solution Path

Microsoft has released SharePoint and SharePoint Foundation patches that correct these vulnerabilities. You should download, test, and deploy the appropriate SharePoint patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

If you choose, you can configure the HTTP, SMTP, and FTP proxies on your XTM appliance to block Microsoft Visio documents from entering your network. Keep in mind, doing so blocks both legitimate and malicious Visio files. If your business regularly transfers Visio files outside your network, you may not want to block them with our appliance. However, if you can block them, it will help mitigate the risk of the Visio Viewer vulnerabilities until you are able to patch.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify Visio files:

File Extensions:

  • .vsd – Visio Drawing files
  • .vst – Visio Template files
  • .vss – Visio Stencil files
  • .vdx – Visio XML Drawing files
  • .vtx  – Visio XML Template files
  • .vsx – Visio XML Stencil files

MIME types:

  • application/visio
  • application/x-visio
  • application/vnd.visio
  • application/visio.drawing
  • application/vsd
  • application/x-vsd
  • image/x-vsd
  • zz-application/zz-winassoc-vsd
  • application/x-visiotech

FILExt.com reported Magic Byte Pattern:

  • Hex: D0 CF 11 E0 A1 B1 1A E1 00

If you do decide you want to block Visio files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Microsoft has released SharePoint and Visio updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Office Update Fixes Flaws with Image Embedded Documents

Summary:

  • These vulnerabilities affect: All current versions of Microsoft Office for Windows, as well as Works 9
  • How an attacker exploits them: Typically, by enticing you to open maliciously crafted Office documents
  • Impact: An attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Office patches immediately, or let Windows Update do it for you.

Exposure:

Today, Microsoft released two security bulletins describing twelve vulnerabilities found in components or programs that ship with Microsoft Office for Windows — more specifically, Publisher and the Office Graphics Filters component. Some of the vulnerabilities also affect the Office Converter Pack, Microsoft Works 9.

The twelve flaws affect different components and applications within Office, but the end result is always the same. By enticing one of your users into downloading and opening a maliciously crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Since many of the vulnerabilities have to do with an attacker embedding specially crafted image files within any Office document, all types of Office documents could trigger these flaws. Warn your users to beware of all unexpected Office documents they receive.

If you’d like to learn more about each individual flaw, drill into the “Vulnerability Details” section of the security bulletins listed below:

  • MS10-103: Multiple Publisher Code Execution Vulnerabilities, rated Important
  • MS10-105: Multiple Office Graphics Filters Code Execution Vulnerabilities, rated Important

Solution Path

Microsoft has released patches for Office to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

MS10-103:

MS10-105:

For All WatchGuard Users:

While you can configure certain WatchGuard Firebox models to block Microsoft Office documents, most organizations need to allow them in order to conduct business. Furthermore, you’d have to block all types of Office documents in order to mitigate the risk posed by one of these vulnerabilities. Therefore, the patches above are your best recourse.

Nonetheless, if you want to block all Office documents, the links below contain video instructions showing how your Fireboxes proxy policies can block files by extension. Keep in mind, this technique also blocks legitimate documents as well.

Status:

Microsoft has released Office updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

 

Two Office Security Bulletins Fix Seven Vulnerabilities

Summary:

  • These vulnerabilities affect: Most current versions of Microsoft Office, and the components that ship with it
  • How an attacker exploits it: Typically by enticing one of your users to open a malicious Office document
  • Impact: In the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Install Microsoft Office updates as soon as possible, or let Microsoft’s automatic update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released two security bulletins describing seven vulnerabilities found in components that ship with most current versions of Microsoft Office for Windows and Mac.

The vulnerabilities affect different versions of Office to varying degrees. Though the seven vulnerabilities differ technically, and affect different Office components, they share the same general scope and impact. By enticing one of your users into downloading and opening a maliciously crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

According to Microsoft’s bulletins, an attacker can exploit these flaws using many different types of Office documents. In one bulletin, Microsoft specifically states PowerPoint documents are vulnerable. However, they also mention any “Office files” in their other alert. Therefore, we recommend you beware of all unexpected Office documents.

If you’d like to learn more about each individual flaw, drill into the “Vulnerability Details” section of the security bulletins listed below:

  • MS10-087: Five Office Code Execution Vulnerabilities, rated Critical
  • MS10-088: Two PowerPoint Code Execution Vulnerabilities, rated Important

Solution Path

Microsoft has released patches for Office to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately, or let the Microsoft Automatic Update feature do it for you.

MS10-087:

Note: Office 2004 and 2008 for Mac are also vulnerable to these flaws, however, Microsoft has not created a updates for these Mac versions yet.

MS10-088:

PowerPoint update for:

Note: Office 2004 for Mac is vulnerable to these flaws, however, Microsoft has not created an update for this Mac version yet.

For All WatchGuard Users:

While you can configure certain WatchGuard Firebox models to block Microsoft Office documents, some organizations need to allow them in order to conduct business. Therefore, these patches are your best recourse.

If you want to block Office documents, follow the links below for video instructions on using your Firebox proxy’s content blocking features by file extensions. Some of the file extensions you’d want to block include, .DOC, .XLS, .PPT, and many more (including the newer Office extensions that end with “X”). Keep in mind, blocking files by extension blocks both malicious and legitimate documents.

Status:

Microsoft has released Office updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

 

More Security Vulnerabilities Affect Word and Excel

Summary:

  • These vulnerabilities affect: All current versions of Microsoft Office for Windows and Mac (specifically Word and Excel)
  • How an attacker exploits them: Typically, by enticing you to open maliciously crafted Office documents
  • Impact: An attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Office patches immediately, or let Windows Update do it for you.

Exposure:

Today, Microsoft released two security bulletins describing 24 vulnerabilities found in components or programs that ship with Microsoft Office for Windows and Mac — more specifically, Word and Excel. Some of the vulnerabilities also affect the viewers, Office Compatibility Packs, and File Format Converters that ship with each program. Each vulnerability affects different versions of Office to a different extent.

The 24 flaws may affect different components and applications within Office, but the end result is always the same. By enticing one of your users into downloading and opening a maliciously crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

According to Microsoft’s bulletins, an attacker can exploit these flaws using two types of Office documents: Word (.doc) and Excel (.xls). So beware of all unexpected documents you receive with these file extensions.

If you’d like to learn more about each individual flaw, drill into the “Vulnerability Details” section of the security bulletins listed below:

  • MS10-079: Multiple Word Code Execution Vulnerabilities, rated Important
  • MS10-080: Multiple Excel Code Execution Vulnerabilities, rated Important

Solution Path

Microsoft has released patches for Office to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

Word update for:

Excel update for:

For All WatchGuard Users:

While you can configure certain WatchGuard Firebox models to block Word and Excel documents, some organizations need to allow them in order to conduct business. Therefore, these patches are your best recourse. Temporarily though, you may still want to block these Office documents until you are able to install Microsoft’s patches.

If you want to block Word, Excel, and Works documents, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block .doc and .xls files by their file extensions:

Status:

Microsoft has released Office updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

 


Follow

Get every new post delivered to your Inbox.

Join 7,557 other followers

%d bloggers like this: