Tag Archives: office

Office Patches Mend Word, Visio, Publisher, and Lync

May 14, 2013 by Corey Nachreiner 1 Comment

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including Word, Visio, Publisher, and Lync
  • How an attacker exploits them: Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins that fix 14 vulnerabilities in a range of Microsoft Office products, including Word, Visio, Publisher, and Lync. We summarize these four security bulletins below, in order from highest to lowest severity.

  • MS13-041: Lync Remote Code Execution (RCE) Vulnerability

 Lync is a unified communications tool that combines voice, IM, audio, video, and web-based communication into one interface. It’s essentially the replacement for Microsoft Communicator. It suffers from an unspecified memory corruption vulnerability that attackers could leverage to execute arbitrary code on your computer. If an attacker can convince one of your users to join a Lync or Communicator session containing specially crafted content, they could execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker could gain complete control of affected computers. This flaw only affects certain versions of Lync and Communicator. See the “Affected and Non-Affected Software” section of Microsoft’s bulletin for more details.

Microsoft rating: Critical

  • MS13-042: Multiple Publisher Memory Corruption Vulnerabilities

Publisher is Microsoft’s basic desktop publishing and layout program, and part of the Office suite. It suffers from eleven memory corruption vulnerabilities. They all differ technically, but share the same scope and impact. By luring one of your users into downloading and opening a malicious Publisher document, an attacker can exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. Again, if your users have local administrator privileges, the attacker gains complete control of their PCs. These flaws affect all versions of Publisher except 2013.

Microsoft rating: Important

Word is the popular word processor that ships with Office. It suffers from a remote code execution (RCE) vulnerability having to do with how it handles Word or RTF documents containing maliciously crafted shape data. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects Word and Word Viewer 2003.

Microsoft rating: Important

  • MS13-044 : Visio Information Disclosure Vulnerability

Microsoft Visio is a popular diagramming program often used to create network diagrams.  Visio suffers from a complex information disclosure vulnerability, involving the way it parses specially crafted XML content. At a high level, XTM documents can contain “external entities;” essentially text or binary data from an external location. If an attacker can entice one of your users into downloading and opening a malicious Visio document (containing XTM content), he can exploit this flaw to read data from files on the victim’s computer. This flaw affects all versions of Visio except 2013.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed a signature that can detect and block the Visio Information Disclosure issue:

  • EXPLOIT Microsoft Visio XML External Entities Resolution Vulnerability (CVE-2013-1301)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Security Updates
, , , , , , , , , ,

Microsoft Black Tuesday: Fix for IE8 Zero Day and More

May 14, 2013 by Corey Nachreiner 5 Comments

Calling all Microsoft administrators. It’s time to spin up your virtual test machines and download, test, and deploy May’s batch of Microsoft security updates. This month’s theme is IE updates; with a focus on a recent IE zero day vulnerability, as well as a continuation of the “use after free” vulnerability theme I commented on last month.

According to their summary post, Microsoft released ten security bulletins today, fixing around 33 security vulnerabilities in many of their popular products. The affected software includes Internet Explorer (IE), Windows and related components, products from the Office suite (Word, Visio, and Publisher), Lync, and Windows Essentials. Microsoft rates the IE updates as Critical, and the rest as Important.

As I mentioned earlier, today’s theme definitely centers around IE. Last week’s security video covered how attackers have recently been exploiting a zero day IE8 vulnerability in the wild—most notably against the Department of Labor web site. One of today’s updates completely fixes this serious flaw. The other IE update continues to fix more “use after free” vulnerabilities, a class of memory corruption flaws that researchers and attackers have focused on lately. I highly recommend you install today’s IE updates immediately, then follow with the Windows and Office updates.

As an aside, Microsoft also released or updated four security advisories today. One of the updates has to do with one of today’s bulletins, but the other three are new. Once you’re finished handling today’s patches, you should check out Microsoft’s security advisory page as well.

We’ll share more details about today’s bulletins in upcoming alerts. Until then, feel free to check out Microsoft’s May bulletin summary.  — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , , , , , , , , , , , ,

Microsoft Kicks Off Spring with Nine Security Bulletins

April 4, 2013 by Corey Nachreiner 4 Comments

The advanced notification results are in, and it’s looking good for Patch Day.

Next Tuesday, Microsoft will release nine security bulletins, two of which the Redmond-based software company rates as Critical. The bulletins will fix flaws in Windows, Internet Explorer (IE), Office, and some of Microsoft’s server and security software. As usual, they haven’t shared many details yet, but some experts expect the critical IE update to fix the zero day vulnerabilities disclosed at CanSecWest’s recent Pwn2Own contest. Either way, I expect the IE flaws to pose the greatest risk to most users, so you should plan on applying that patch as quickly as possible.

While nine bulletins may sound like a lot, it’s pretty average for Patch Day lately. Nonetheless, you should prepare your IT staff for a busy day of testing and patching next Tuesday. We’ll know more about these bulletins next week, and will publish alerts about them here. — Corey Nachreiner, CISSP (@SecAdept)

Screen Shot 2013-04-04 at 10.01.09 PM

Editorial Articles
, , , , , , ,

Four Office-related Updates Fix Productivity Software Vulnerabilities

March 12, 2013 by Corey Nachreiner 0 Comments

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Visio Viewer 2010, SharePoint Server 2010, OneNote 2010, and Outlook for Mac
  • How an attacker exploits them: Multiple vectors of attack, including luring your users into opening malicious Office documents, or into visiting malicious URLs
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing vulnerabilities in some of their Office-related productivity packages,  including Visio Viewer, SharePoint, OneNote, and Outlook for Mac. We summarize the four security bulletins below, in order of severity:

  • MS13-023: Visio Viewer Code Execution Vulnerability

Microsoft Visio is a popular diagramming program, which many network administrators use to create network diagrams. Visio Viewer is a free program that anyone can use to view those diagrams. Visio Viewer suffers from a memory-related code execution vulnerability, having to do with the way it handles specially crafted Visio diagrams. If an attacker can entice one of your users into downloading and opening a maliciously crafted Visio document, he can exploit this vulnerability to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. This flaw only affects the 2010 version of Visio Viewer.

Microsoft rating: Critical

  • MS13-024: Various SharePoint Vulnerabilities

SharePoint and SharePoint Foundation are Microsoft’s web and document collaboration and management platforms. They suffer from four different security issues, including a few elevation of privilege flaws, a Cross-Site Scripting vulnerability (XSS), and a Denial of Service (DoS) issue. By either enticing one of your users into clicking a malicious URL, or by inputting a specially crafted URL into a vulnerable SharePoint server, an attacker could exploit the worst of these flaws to gain elevated access to your SharePoint server, allowing him to view or change the documents your user could. These flaws only affect the latest 2010 version of SharePoint.

Microsoft rating: Critical.

  • MS13-025: OneNote 2010 Information Disclosure Flaw

Microsoft OneNote is a digital notebook that provides you a place to easily take notes on your digital device. It ships with most recent versions of Office. OneNote suffers from an information disclosure flaw. If an attacker can entice one of your users into downloading and opening a maliciously crafted OneNote (.ONE) file, she can leverage this flaw to read arbitrary data from your computer’s memory. Depending on what you are doing on your computer at the time, this flaw could allow the attacker to gain access to some of your sensitive information, including usernames and passwords. The issue only affects the 2010 version of OneNote.

Microsoft rating: Important

  • MS13-026: Outlook for Mac Information Disclosure Flaw

Outlook for Mac (the Apple OS X version of Microsoft’s email client) suffers from a relatively minor information disclosure vulnerability having to do with how it previews certain HTML email messages. If an attacker can lure you into opening a specially crafted HTML email, they can verify your email address is accurate and confirm you previewed the message. At best, this vulnerability may help attackers enumerate valid email addresses for later use in their spam and phishing attacks. However, it does not give attackers any further access to your email messages or computer. For that reason, we believe it poses a fairly low risk.

Microsoft rating: Important

Solution Path

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

Attackers can exploit these vulnerabilities using diverse methods. Though you can configure WatchGuard appliances to block some of the Office documents related to a few of these attacks, and you can leverage our security services to mitigate the risk of malware delivered via these attacks, we cannot protect you against all of them; especially the local ones. We recommend you apply Microsoft’s patches to best protect your network.

That said, our IPS signature team has developed new signatures that can detect and block some of the SharePoint attacks:

  • WEB Microsoft SharePoint Server Callback Function Vulnerability (CVE-2013-0080)
  • WEB Microsoft SharePoint XSS Vulnerability (CVE-2013-0083)
  • WEB Microsoft Share Point Directory Traversal Vulnerability -1 (CVE-2013-0084)
  • WEB Microsoft Share Point Directory Traversal Vulnerability -2 (CVE-2013-0084)
  • WEB Microsoft Share Point Directory Traversal Vulnerability -3 (CVE-2013-0084)

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Security Updates
, , , , , , , ,

Microsoft Black Tuesday: Security Flaws in a Menagerie of Products

March 12, 2013 by Corey Nachreiner 3 Comments

Though today’s Patch Day might seem pretty average as far as the number of security bulletins released, it does cover a rather eclectic range of Microsoft products. In fact, a few of the updates affect Mac users as well, and one is even exclusive to Mac.

During today’s Patch Day, Microsoft released seven security bulletins fixing  20 vulnerabilities in the following products:

  •  Windows (all versions)
  • Internet Explorer (IE)
  • Office Suite updates
    • Visio Viewer 2010
    • SharePoint Server 2010
    • OneNote 2010
    • Office Outlook for Mac
  • Silverlight 5 (For PC and Mac)

They rate four of the bulletins as Critical, and three as Important. Many of the Critical issues can allow remote attackers to execute code on affected systems. So we highly recommend you patch them quickly.

We’ll share more details about today’s bulletins in upcoming alerts. Until then, feel free to check out Microsoft’s March bulletin summary.  — Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles
, , , , , , , , , , , ,

Microsoft Piles on Patches Next Tuesday

February 7, 2013 by Corey Nachreiner 1 Comment

February looks to be a busy month for Microsoft administrators. According to the latest advanced patch notification, the Redmond-based software company plans to release a dozen security bulletins next Tuesday. The bulletins will fix security flaws in Windows, Internet Explorer (IE), Office, the .NET Framework, and Exchange server. Microsoft rates five of the  bulletins as Critical, and the rest as Important.

In the middle of last month, Microsoft released an out-of-cycle IE update to fix a flaw attackers were leveraging in the wild. It appears that update didn’t fix everything in IE since at least two of the upcoming bulletins affect the popular web browser.

As always, we’ll share more about these updates, and the vulnerabilities they correct, next week. You can also expect our IPS signature team to have signatures prepared for any known exploits that Microsoft shares with us. In the meantime, prepare your IT team for a pretty full plate of patches. — Corey Nachreiner, CISSP (@SecAdept)

Microsoft Patch Day: Feb. 2013

Editorial Articles
, , , , , , , , , , ,

WatchGuard Security Week in Review: Episode 50 – UPnP Pwnage

February 1, 2013 by Corey Nachreiner 2 Comments

UPnP Pwnage and Hacked Journalists

This week is rife with security news. If you want the quick highlights, you’ve come to the right place. Today’s video covers a few Yahoo XSS vulnerabilities, some serious UPnP security flaws, and the alleged China-based hack of the New York Times. Watch the video below for details.

Also, if you are interested in some other stories I didn’t have time to cover in the video, make sure to check out the Reference section for links to these extras.

Thanks for watching, and see you next week.

(Episode Runtime: 10:00)

Direct YouTube Link: https://www.youtube.com/watch?v=azjZ0dFxnR4

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , ,

WatchGuard Security Week in Review: Episode 49 – Expelled Hacker

January 25, 2013 by Corey Nachreiner 2 Comments

Red October, Cisco WLAN Updates, and Expelled Hacker

Welcome to another “on the road” edition of WatchGuard Security Week in Review, the video podcast dedicated to summarizing the biggest InfoSec stories each week. This week’s episodes covers a Cisco wireless controller security update, Kaspersky’s investigation into the Red October cyber-espionage campaign, and the controversy surrounding an expelled “white hat” hacker. For more details on those stories and others, watch the short video below. You can also check out the ?Reference section for more details on any of these topics.

(Episode Runtime: 6:48)

Direct YouTube Link: http://www.youtube.com/watch?v=Q08Gcu_7EXo

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , ,

WatchGuard Security Week in Review: Episode 48 – 0day Updates

January 19, 2013 by Corey Nachreiner 0 Comments

0Day Updates, Oracle Patches, and Mobile Botnets

Better late than never, right?

This week’s security video summary comes a tad late due to my travel schedule this week. It covers updates on the two latest zero day exploits, Oracle’s critical patch update, and stories about a mobile phone botnet and US power plant breach. Click play below to watch the short episode, or check out the References for more details.

Next week’s episode may also post at a weird time due to continued travel.

(Episode Runtime: 5:11)

Direct YouTube Link: http://www.youtube.com/watch?v=d1xVktaX_1o

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , ,

WatchGuard Security Week in Review: Episode 47 – Piles of Patches

January 11, 2013 by Corey Nachreiner 3 Comments

Critical Java 0Day, Piles of Patches, and More

Ready for a weekly dose of InfoSec? This episode has a strong “patch” theme, with many vendors releasing some big security updates this week. Besides the patches, I also cover a few new 0day exploits, including a serious Java one getting leveraged quite a bit in the wild, and a couple crazy sounding security-related news items. If you want all the details, click play below, or check out the Reference section.

Note: I will be traveling the next few weeks. I still plan on trying to post the weekly video, but it may be shorter, less produced, and arrive at odd hours due to travel.

(Episode Runtime: 9:17)

Direct YouTube Link: http://www.youtube.com/watch?v=AkNqamIAPs8

Episode References:

— Corey Nachreiner, CISSP (@SecAdept)

Editorial Articles, Security Updates
, , , , , , , , , , , , , , , , , , , , , , ,
Older Entries

Follow

Get every new post delivered to your Inbox.

Join 7,114 other followers

%d bloggers like this: