Tag Archives: Patches

Office Updates Mend Word and Outlook Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including Word and Outlook
  • How an attacker exploits them: Typically by enticing users to open or interact with maliciously crafted Office documents or email
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins that fix four vulnerabilities in Word and Outlook. We summarize the bulletins below, in order from highest to lowest severity.

  • MS13-091: Multiple Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office.  It suffers from three memory corruption vulnerabilities having to do with how it handles malformed Word and WordPerfect files. They all differ technically, but share the same scope and impact. By luring one of your users into downloading and opening a malicious Word or WordPerfect document, an attacker can exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. If your users have local administrator privileges, the attacker gains complete control of their PCs. These flaws affect all versions of Word except for Word for Mac.

Microsoft rating: Important

  • MS13-094:  Outlook S/MIME Information Disclosure Flaw

Outlook is the popular Windows email client that ships with Office. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for encrypting MIME data, or put more simply, it allows you to encrypt email. Outlook suffers from an information disclosure vulnerability involving the way it handles specially crafted S/MIME certificates. By convincing one of your users to open or preview a malicious email with a specially crafted S/MIME certification, an attacker could exploit this flaw to learn a bit about the victim system, including its IP address and the ports it listens on. However, the attacker could not leverage the flaw to compromise the victim system.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Sharepoint, Excel, and Word Security Updates

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including SharePoint, Word, and Excel
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix five vulnerabilities in SharePoint, Word, and Excel, which are all part of Microsoft’s Office suite of products. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS13-084: Two SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from both a remote code execution and cross-site scripting (XSS) flaw. The remote code execution is the more severe issue, and involves a flaw in the way Sharepoint handles specially crafted Excel files (this flaw directly relates to an Excel flaw we describe below). If an attacker can entice you to open a specially crafted Excel file from a SharePoint server (or from the Office Services or Web Apps), he could leverage this flaw to execute code on your computer, with your privileges. If you’re an administrator, the attacker has total control of your machine.

These flaws also affect Excel Services, Word Automation Services, and various Office Web Apps.

Microsoft rating: Critical

  • MS13-085Two Excel Memory Corruption Vulnerabilities

Excel is the popular spreadsheet program that ships with Office. It suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted spreadsheets. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. One of these two Excel flaws is identical the the Excel-related flaw in Sharepoint. This flaw does not affect Excel 2003, but it does affect Excel for Mac

Microsoft rating: Important

  • MS13-086 Two Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office. It, like Excel, suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted Office documents. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects Word 2003 and 2007, not Word for Mac.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of some of these vulnerabilities. Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. For instance, our IPS signature team has developed signatures that can detect and block some of these attacks:

  • WEB Microsoft Parameter Injection Vulnerability (CVE-2013-3895)
  • EXPLOIT Microsoft Word Memory Corruption Vulnerability (CVE-2013-3891)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Install the IE Update First

If you follow the blog, you’re surely aware that today’s Microsoft Patch Day; and it’s an especially important one. Though it doesn’t set any records, Microsoft has released an update to fix a fairly significant, zero day Internet Explorer (IE) vulnerability, which many attackers have exploited in the wild for the past few weeks. If you can only apply one patch today, I recommend the IE one.

In their summary post, Microsoft shares details about eight security bulletins that fix 27 vulnerabilities in many of their popular products. They rate half the bulletins as Critical, and the other half as Important. Here’s the breakdown of affected products:

  • Internet Explorer (IE) [10 issues fixed]
  • Windows and its components [12 issues fixed]
  • Office products [5 issues fixed]
    • SharePoint Server
    • Word
    • Excel

If you use any of these products, you should update as soon as possible. As mentioned earlier, I recommend you install the IE update first; and try to get to it as quickly as you can. Though Microsoft previously released a FixIt for this issue (which I hope you’re running), it’s better to be safe than sorry. That said, don’t discount the other Critical updates. In general, I recommend you download, test and deploy all of Microsofts patches as soon as you can. For more details on today’s Patch Day, check out the October bulletin summary, or wait for our detailed alerts.

On the subject of patching, today is also Adobe patch day too. They’ve released updates to fix Reader, Acrobat, and Robohelp. I’d also recommend you install those updates (the Reader one likely affects most people) as soon as you can. You can learn more about Adobe’s updates on their security page, but I’ll release an alert about them later today.

We’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day.  — Corey Nachreiner, CISSP (@SecAdept)

Office Updates Fix SharePoint, Outlook, Word, and More

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including SharePoint, Outlook, Word, Excel, Access, FrontPage and other components
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released seven security bulletins that fix 26 vulnerabilities in a range of Microsoft Office products, including SharePoint, Outlook, Word, Excel, Access, FrontPage and an IME component. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS13-067: Multiple SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from a number of vulnerabilities, ranging from remote code execution flaws to a denial of service (DoS) condition. The worst vulnerability is an input validation flaw involving how SharePoint handles specially crafted content. If an attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges.

Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. In either case, Microsoft assigns this particular flaw their highest severity rating, so SharePoint administrators should patch as soon as possible, especially if you expose your services publicly.

These flaws also affect Excel Services, Word Automation Services, and various Office Web Apps.

Microsoft rating: Critical

  • MS13-068: Outlook S/MIME Code Execution Flaw

Outlook is the popular Windows email client that ships with Office. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for encrypting MIME data, or put more simply, it allows you to encrypt email. Outlook suffers from a code execution vulnerability involving the way it handles specially crafted S/MIME messages. An attacker could exploit this flaw to execute code on your computer simply by sending you a specially crafted email (though you’d have to open or preview the message first). The code runs with your privileges, and if your users have local administrator privileges, the attacker gains complete control of their PCs. This flaw sounds, and is, pretty severe with one small exception. Microsoft believes it is technically pretty difficult to exploit. Nonetheless, we recommend you apply the patch posthaste.

Microsoft rating: Critical

  • MS13-072 :  Ten Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office. It suffers from ten memory corruption vulnerabilities having to do with how it handles specially crafted Office documents. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects the Windows versions of Word and Word Viewer, not Word for Mac.

Microsoft rating: Important

  • MS13-073 Two Excel Memory Corruption Vulnerabilities

Excel is the popular spreadsheet program that ships with Office. It suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted spreadsheets. These flaws are essentially the same as the Word ones described above, but they affect Excel related documents. So in short, if an attacker tricks your into opening a malicious excel file, he can execute code as you. If you’re a local administrator, he has full control of your computer.  Again, the flaws only affects the Windows versions, not Mac ones.

Microsoft rating: Important

  • MS13-074 Three Access Memory Corruption Vulnerabilities

Access is the popular database program that ships with Office. It suffers from three memory corruption vulnerabilities having to do with how it handles specially crafted database files. These flaws are identical in scope and impact to the two above, only they affect Access files. If you open the wrong database, an attack can execute code as you.

Microsoft rating: Important

  • MS13-078: FrontPage Information Disclosure 

FrontPage is a WYSIWYG HTML editor for creating web sites, which ships with Office.  It suffers from an information disclosure. If an attacker can trick a FrontPage user into opening a specially crafted FrontPage document, she could exploit this flaw to read the contents of any file on that user’s computer (assuming they knew the location of a specific file).

Microsoft rating: Important

  • MS13-075 : Chinese IME Elevation of Privilege Vulnerability

Input Method Editors (IME) are optional components that allows Latin keyboard users to type non-Latin characters in Office or Windows. Unfortunately, the Office IME for Pinyin Chinese suffers from an elevation of privilege (EoP) vulnerability. If an attacker can gain local access to your computer using valid Windows credentials, he could run a specially crafted program that would give him full SYSTEM-level privileges on your computer. Of course, the attack only affects those who’ve specifically installed the Pinyin Chinese Office IME, and the attacker must have a valid login to exploit the issue.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of many of these vulnerabilities. For instance, you might use firewall policies to prevent external users from accessing your SharePoint server, or use the SMTP proxy to block messages containing S/MIME content (by blocking the application/pkcs7-mime MIME content type).

Furthermore, Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of these attacks:

  • EXPLOIT Microsoft SharePoint Denial of Service Vulnerability -1 (CVE-2013-0081)
  • EXPLOIT Microsoft SharePoint Denial of Service Vulnerability -2 (CVE-2013-0081)
  • EXPLOIT Microsoft Office Could Allow Remote Code Execution (CVE-2013-3850)
  • EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -1 (CVE-2013-3180)
  •  EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -2 (CVE-2013-3180)
  • EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -3 (CVE-2013-3180)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: The Largest Patch Day of 2013 (So Far)

Today’s Patch Day is the largest so far for 2013, with Microsoft releasing 13 security bulletins. While it doesn’t break any records (that Patch Day was probably the 17 bulletin one in April 2011), it’s still nothing to sneeze at. Here’s today’s patch break down.

Microsoft’s 13 bulletins fix around 47 security vulnerabilities affecting the following products:

  • Internet Explorer (IE)
  • Windows
  • many Office products
    • SharePoint Server
    • Outlook
    • Word
    • Excel
    • Access
    • FrontPage

Microsoft rates four of the bulletins as Critical, and the remaining ones Important. The impacts of these flaws range from remote code execution, elevation of privileges, information disclosure, and denial of service (DoS). For more details, check out the September bulletin summary, or wait for our detailed alerts.

At first glance, you might think the Critical Outlook bulletin is the most severe, and the first you should fix. I mean… gaining control of a user’s system simply by getting them to open an email sounds pretty horrible. However, Microsoft believes that this flaw is technically pretty difficult to exploit.

On the flip side, you might be less worried about the SharePoint issues, since you’d assume most organizations put SharePoint servers behind firewalls. Yet, as it turns out, many organizations provide public access to their SharePoint services allowing external employees easy access; some even disable authentication. My point being, I would apply the SharePoint patches first, assuming you manage SharePoint servers, but would still consider the Outlook update a close second (and don’t forget the Critical IE and Windows updates either).

We’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day. We’ve posted Microsoft’s update matrix below, for your convenience.  — Corey Nachreiner, CISSP (@SecAdept)

MS Patch Day: Sept. 2013

Microsoft Patch Tuesday: Critical Fixes for Exchange, IE, and Windows

It’s that time again… Microsoft Patch Day. Sometimes following Microsoft’s regular patch cycle can feel a lot like the movie, Groundhog Day. Yet—also like the movie—it’s well worth repeating regularly to make sure that you get it right.

According to their summary post, Microsoft released eight security bulletins today, three of which they rate as Critical. The bulletins include updates to fix at least 22 vulnerabilities in three popular Microsoft products, Windows, Internet Explorer (IE), and Exchange Server. Though attackers aren’t exploiting these issues in the wild yet, researchers have publicly disclosed a few of them, which makes them a bit more likely to be targeted.

In my opinion, you should apply the IE update first, as it fixes 11 serious vulnerabilities, many of which attackers could leverage in drive-by download attacks. Right now, booby-trapped web sites are one of the most common infection vectors. For that reason, I recommend you apply web browser updates, like this IE one, as quickly as possible. The Exchange update is a close second, as it also fixes a remotely exploitable flaw that could allow attackers to gain access to your Exchange server simply by tricking one of your users into previewing a specially crafted document. Finish up with the Windows updates, beginning with the Critical one.

As always, I still recommend you test Microsoft patches before deploying them to your critical production servers. While it might be okay to push client software updates without testing them, you should test server updates, like today’s Exchange one, before deploying them in order to avoid unexpected downtime. If you don’t already have a test environment that mimics your production environment, virtualization is a great way to create one.

I’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day.  — Corey Nachreiner, CISSP (@SecAdept)

MS Patch Day: August 2013

Microsoft Black Tuesday: Patch Windows Kernel-mode Driver and .NET First

Microsoft’s July Patch Day is live and ready for download, so go grab those updates. I recommend you work on the Windows Kernel-mode driver and .NET one’s first.

According to their summary post, Microsoft released seven security bulletins today, six of which they rate as Critical. The bulletins include updates to fix 36 vulnerabilities in many popular Microsoft products, including Windows, Internet Explorer (IE), Office, the .NET Framework, Silverlight, and Defender. Attackers are exploiting at least one of these flaws in the wild.

I always recommend you apply Microsoft’s Critical updates as soon as possible, but there are two in particular that you should jump on immediately. The first fixes vulnerabilities in Windows’ kernel-mode driver (MS13-053), which was disclosed awhile ago by a Google researcher. The researcher has already released proof of concept (PoC) code for this flaw, and Microsoft is aware of attackers leveraging it in targeted attacks. Next, you should also apply Microsoft’s .NET Framework and Silverlight patch quickly, since at least two of its flaws were disclosed in detail before today’s updates came out.

That’s not to say you should lax-off on the other updates. I think the IE patch is pretty important too; as are any updates Microsoft rates Critical. So I’d recommend you apply all six of the Critical updates today if you can. Of course, I still recommend you test Microsoft’s updates in a non-production  environment before pushing them to any critical production server. It may be ok to quickly patch client machines without testing, but you don’t want any surprises with your critical servers.

We’ll share more details about Microsoft’s bulletins in upcoming alerts, posted throughout the day. We’ve posted Microsoft update matrix below, for your convenience.  — Corey Nachreiner, CISSP (@SecAdept)

Summary of July 2013 Microsoft Updates

Summary of July 2013 Microsoft Updates

Office 2003 Document Handling Code Execution Vulnerability

Severity: Medium

Summary:

  • These vulnerabilities affect: Office 2003 and Office for Mac 2011
  • How an attacker exploits them: By enticing you to open maliciously crafted Office documents
  • Impact: An attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Office patches as soon as possible, or let Windows Update do it for you.

Exposure:

As part of part of Patch Day, Microsoft released a security bulletin describing a vulnerability in Office 2003 and Office for Mac 2011. Specifically, the Office components used to parse PNG image files suffer from a buffer overflow vulnerability involving the way they handle specially crafted images. By embedding a malicious PNG image into an Office document, and tricking one of your users into downloading and opening or previewing it, an attacker can exploit this vulnerability to execute code on that user’s computer, inheriting that user’s privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Though Microsoft only rates this security update as Important, since the attack requires user interaction to succeed, we believe it poses a significant risk because many normal users trust Microsoft Office documents. You should patch this flaw as soon as you can.

Solution Path

Microsoft has released an update for Office to fix this flaw. If you use Office 2003 or Office for Mac 2011 you should download, test, and deploy the update as soon as possible, or let Windows Update do it for you. See the “Affected and Non-Affected Software” section of Microsoft’s bulletin for more details on where to find the updates.

For All WatchGuard Users:

Though you can use WatchGuard’s XTM and XCS appliances to block certain files and content, such as Office documents, most organizations share these types of documents as part of normal business. Instead, we recommend you install Microsoft’s updates to completely protect yourself from this flaw.

Status:

Microsoft has released an Office update to fix this flaw.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: Big IE Update Trumps Windows & Office Patches

If you manage Windows networks, you know what time it is… time for Microsoft’s monthly list of security updates.

Microsoft Patch day has gone live, and you can find a listing of today’s security bulletins in their June Patch Day summary page. As expected, they released five security bulletins, one for Internet Explorer (IE), three for Windows and its components, and one for Office. They only rate the IE bulletin as Critical.

I recommend you focus most your attention to the IE update. It corrects 19 vulnerabilities—the bulk of today’s flaw—and most of them could allow remote attackers to gain control of your users’ computers via drive-by download attacks. You should definitely patch it first. That said, the Windows and Office updates are still important. Even though the Windows flaws require local access, and the Office flaw requires a bit of user interaction, they still pose some risk. So patch them too, just start with IE.

We’ll share more details about Microsoft’s bulletins in three upcoming alerts, posted throughout the day. Stay tuned.  — Corey Nachreiner, CISSP (@SecAdept)MS Patch Day June 2013

Next Week’s Patch Tuesday Focuses on IE

I’m sure you’re used to the Microsoft Patch drill by now, so let’s jump right in…

According to their advanced notification post, Microsoft plans to release five security bulletins next Tuesday, which is a rather small number compared to Patch Days of recent past. Their notice warns that the bulletins will include security updates for Windows, Office, and Internet Explorer (IE), and will fix a total of 23 vulnerabilities. The IE patch alone  fixes 19 of those 23 issues, and it’s the only update Microsoft rates as Critical (the rest are rated Important).

Based on past experience, I’d bet that the majority of the IE fixes correct memory related vulnerabilities that attackers could leverage in drive-by download attacks.So when Patch Day comes around next week, I recommend you get your IT staff to put precedence on the IE update, then take care of the other four.

As an aside, there is no word whether or not Microsoft’s upcoming Windows updates will fix the zero day kernel-mode driver vulnerability that I mentioned the Google researcher disclosed last week. I’ll let you know once I know this flaw is patched and I’ll share more details about Patch Day next Tuesday.  — Corey Nachreiner, CISSP (@SecAdept)

Follow

Get every new post delivered to your Inbox.

Join 7,380 other followers

%d bloggers like this: