Tag Archives: visio

Office Updates Mend Word and Outlook Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including Word and Outlook
  • How an attacker exploits them: Typically by enticing users to open or interact with maliciously crafted Office documents or email
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins that fix four vulnerabilities in Word and Outlook. We summarize the bulletins below, in order from highest to lowest severity.

  • MS13-091: Multiple Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office.  It suffers from three memory corruption vulnerabilities having to do with how it handles malformed Word and WordPerfect files. They all differ technically, but share the same scope and impact. By luring one of your users into downloading and opening a malicious Word or WordPerfect document, an attacker can exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. If your users have local administrator privileges, the attacker gains complete control of their PCs. These flaws affect all versions of Word except for Word for Mac.

Microsoft rating: Important

  • MS13-094:  Outlook S/MIME Information Disclosure Flaw

Outlook is the popular Windows email client that ships with Office. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for encrypting MIME data, or put more simply, it allows you to encrypt email. Outlook suffers from an information disclosure vulnerability involving the way it handles specially crafted S/MIME certificates. By convincing one of your users to open or preview a malicious email with a specially crafted S/MIME certification, an attacker could exploit this flaw to learn a bit about the victim system, including its IP address and the ports it listens on. However, the attacker could not leverage the flaw to compromise the victim system.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Office Patches Mend Word, Visio, Publisher, and Lync

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including Word, Visio, Publisher, and Lync
  • How an attacker exploits them: Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins that fix 14 vulnerabilities in a range of Microsoft Office products, including Word, Visio, Publisher, and Lync. We summarize these four security bulletins below, in order from highest to lowest severity.

  • MS13-041: Lync Remote Code Execution (RCE) Vulnerability

 Lync is a unified communications tool that combines voice, IM, audio, video, and web-based communication into one interface. It’s essentially the replacement for Microsoft Communicator. It suffers from an unspecified memory corruption vulnerability that attackers could leverage to execute arbitrary code on your computer. If an attacker can convince one of your users to join a Lync or Communicator session containing specially crafted content, they could execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker could gain complete control of affected computers. This flaw only affects certain versions of Lync and Communicator. See the “Affected and Non-Affected Software” section of Microsoft’s bulletin for more details.

Microsoft rating: Critical

  • MS13-042: Multiple Publisher Memory Corruption Vulnerabilities

Publisher is Microsoft’s basic desktop publishing and layout program, and part of the Office suite. It suffers from eleven memory corruption vulnerabilities. They all differ technically, but share the same scope and impact. By luring one of your users into downloading and opening a malicious Publisher document, an attacker can exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. Again, if your users have local administrator privileges, the attacker gains complete control of their PCs. These flaws affect all versions of Publisher except 2013.

Microsoft rating: Important

Word is the popular word processor that ships with Office. It suffers from a remote code execution (RCE) vulnerability having to do with how it handles Word or RTF documents containing maliciously crafted shape data. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects Word and Word Viewer 2003.

Microsoft rating: Important

  • MS13-044 : Visio Information Disclosure Vulnerability

Microsoft Visio is a popular diagramming program often used to create network diagrams.  Visio suffers from a complex information disclosure vulnerability, involving the way it parses specially crafted XML content. At a high level, XTM documents can contain “external entities;” essentially text or binary data from an external location. If an attacker can entice one of your users into downloading and opening a malicious Visio document (containing XTM content), he can exploit this flaw to read data from files on the victim’s computer. This flaw affects all versions of Visio except 2013.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed a signature that can detect and block the Visio Information Disclosure issue:

  • EXPLOIT Microsoft Visio XML External Entities Resolution Vulnerability (CVE-2013-1301)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Four Office-related Updates Fix Productivity Software Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Visio Viewer 2010, SharePoint Server 2010, OneNote 2010, and Outlook for Mac
  • How an attacker exploits them: Multiple vectors of attack, including luring your users into opening malicious Office documents, or into visiting malicious URLs
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing vulnerabilities in some of their Office-related productivity packages,  including Visio Viewer, SharePoint, OneNote, and Outlook for Mac. We summarize the four security bulletins below, in order of severity:

  • MS13-023: Visio Viewer Code Execution Vulnerability

Microsoft Visio is a popular diagramming program, which many network administrators use to create network diagrams. Visio Viewer is a free program that anyone can use to view those diagrams. Visio Viewer suffers from a memory-related code execution vulnerability, having to do with the way it handles specially crafted Visio diagrams. If an attacker can entice one of your users into downloading and opening a maliciously crafted Visio document, he can exploit this vulnerability to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. This flaw only affects the 2010 version of Visio Viewer.

Microsoft rating: Critical

  • MS13-024: Various SharePoint Vulnerabilities

SharePoint and SharePoint Foundation are Microsoft’s web and document collaboration and management platforms. They suffer from four different security issues, including a few elevation of privilege flaws, a Cross-Site Scripting vulnerability (XSS), and a Denial of Service (DoS) issue. By either enticing one of your users into clicking a malicious URL, or by inputting a specially crafted URL into a vulnerable SharePoint server, an attacker could exploit the worst of these flaws to gain elevated access to your SharePoint server, allowing him to view or change the documents your user could. These flaws only affect the latest 2010 version of SharePoint.

Microsoft rating: Critical.

  • MS13-025: OneNote 2010 Information Disclosure Flaw

Microsoft OneNote is a digital notebook that provides you a place to easily take notes on your digital device. It ships with most recent versions of Office. OneNote suffers from an information disclosure flaw. If an attacker can entice one of your users into downloading and opening a maliciously crafted OneNote (.ONE) file, she can leverage this flaw to read arbitrary data from your computer’s memory. Depending on what you are doing on your computer at the time, this flaw could allow the attacker to gain access to some of your sensitive information, including usernames and passwords. The issue only affects the 2010 version of OneNote.

Microsoft rating: Important

  • MS13-026: Outlook for Mac Information Disclosure Flaw

Outlook for Mac (the Apple OS X version of Microsoft’s email client) suffers from a relatively minor information disclosure vulnerability having to do with how it previews certain HTML email messages. If an attacker can lure you into opening a specially crafted HTML email, they can verify your email address is accurate and confirm you previewed the message. At best, this vulnerability may help attackers enumerate valid email addresses for later use in their spam and phishing attacks. However, it does not give attackers any further access to your email messages or computer. For that reason, we believe it poses a fairly low risk.

Microsoft rating: Important

Solution Path

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

Attackers can exploit these vulnerabilities using diverse methods. Though you can configure WatchGuard appliances to block some of the Office documents related to a few of these attacks, and you can leverage our security services to mitigate the risk of malware delivered via these attacks, we cannot protect you against all of them; especially the local ones. We recommend you apply Microsoft’s patches to best protect your network.

That said, our IPS signature team has developed new signatures that can detect and block some of the SharePoint attacks:

  • WEB Microsoft SharePoint Server Callback Function Vulnerability (CVE-2013-0080)
  • WEB Microsoft SharePoint XSS Vulnerability (CVE-2013-0083)
  • WEB Microsoft Share Point Directory Traversal Vulnerability -1 (CVE-2013-0084)
  • WEB Microsoft Share Point Directory Traversal Vulnerability -2 (CVE-2013-0084)
  • WEB Microsoft Share Point Directory Traversal Vulnerability -3 (CVE-2013-0084)

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

One Critical and Two Important Microsoft Office Updates

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office, Visio, SQL Server, Commerce Server, Host Integration Server 2004, Visual FoxPro, and Visual Basic 6.0 Runtime
  • How an attacker exploits them: Multiple vectors of attack, including luring your users into opening malicious Office documents, or into visiting web sites with malicious content
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released three Office-related security bulletins describing vulnerabilities found in Microsoft Office, Visio, and other productivity-related software. They rate one of the updates as Critical and the others as Important.

Besides affecting Office, the Critical update also affects:

  • SQL Server (most versions)
  • Commerce Server (all versions)
  • Host Integration Server 2004
  • Visual FoxPro
  • Visual Basic Runtime

We summarize the three bulletins below:

  • MS12-060: Common Controls Remote Code Execution Vulnerability

Office (and many other Microsoft products listed above) ships with a set of ActiveX controls that Microsoft calls the Windows Common Controls (MSCOMCTL.OCX). One of the ActiveX controls in this library suffers from an unspecified remote code execution vulnerability. By enticing one of your users to visit a malicious web page, or into clicking a specially crafted link, an attacker could exploit this flaw to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of his machine. Microsoft’s update sets the kill bit for the vulnerable ActiveX control.

According to Microsoft, attackers are exploiting this vulnerability in the wild, in “limited targeted” attacks. This significantly increases the risk of this already serious vulnerability. You should apply this update immediately.

Microsoft rating: Critical.

  • MS12-057: CGM File Memory Corruption Vulnerability 

Computer Graphics Metafiles (CGM) are text-based file representations of 2D vector or raster graphics. Though few people actually use CGM files today, Microsoft Office still supports this legacy file type.

According to the bulletin, Office suffers from an unspecified memory corruption vulnerability involving the way it handles CGM files. By enticing one of your users into opening a CGM file, or into opening an Office document containing an embedded CGM file, an attacker can exploit this flaw to execute code on that user’s computer, with the user’s privileges. If your users have local administrative rights, the attacker gains complete control of the computer.

Microsoft rating: Important

  • MS12-059: Visio DXF Buffer Overflow Vulnerability

Microsoft Visio is a popular diagramming program, which many network administrators use to create network diagrams. Visio Viewer is a free program that anyone can use to view those diagrams.

Visio and Visio Viewer suffer from a buffer overflow vulnerability involving the way they handle a specific type of specially crafted Visio document, called a DXF file. If an attacker can entice one of your users into downloading and opening a maliciously crafted DXF file, he can exploit this flaw to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. This flaw only affects Visio and Visio Viewer 2010.

Microsoft rating: Important

Solution Path

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

Many of WatchGuard’s security appliances can help mitigate the risk of some of these attacks. For instance, you can configure WatchGuard appliances to block the Office documents related to a few of these attacks (such as DOC, XLS, and DXF files) and you can leverage our security services to mitigate the risk of malware delivered via these attacks.

However, most administrators prefer to allow Office documents into their network, and our appliances cannot protect you against all avenues attacks, especially local ones. So we still recommend you apply Microsoft’s patches to best protect your network.

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Office Patches Mend SharePoint, Visual Basic, and Mac Specific Flaws

Severity: Medium

Summary:

  • These vulnerabilities affect: Microsoft Office (for PC and Mac), the SharePoint suite of products, and Visual Basic
  • How an attacker exploits them: Multiple vectors of attack, including luring your users into opening malicious Office documents, or into visiting web sites with malicious content
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released three Office-related security bulletins describing eight vulnerabilities found in various Office and Office-related packages including the SharePoint suite of products, Office for Mac, and Visual Basic. We summarize the bulletins below:

  • MS12-046: VBA Insecure Library Loading Vulnerability 

Microsoft Visual Basic for Applications (VBA) is a development platform that ships with Office, and helps you create new applications that integrate with existing Office applications and data systems. It suffers from a Dynamic Link Library (DLL) loading class vulnerability, which we’ve described in many previous Microsoft alerts. In a nutshell, this class of flaw involves an attacker enticing one of your users into opening some sort of booby-trapped file from the same location as a maliciously crafted DLL file. If you open the booby-trapped file, it executes code in the malicious DLL file with your privileges. If you have local administrative privileges, the attacker could exploit this type of issue to gain complete control of your computer. In this particular case, the vulnerability is triggered by opening Office documents, such as .docx or xlsx.

Microsoft rating: Important

  • MS12-050: Multiple SharePoint Vulnerabilities

SharePoint is Microsoft’s web and document collaboration and management platform. SharePoint, and other related packages, suffer from six new security flaws, including three Cross-Site Scripting vulnerabilities (XSS) that could allow an attacker to elevate his privileges. By enticing one of your users to visit a malicious web page or into clicking a specially crafted link, an attacker could exploit any of the three XSS flaws to gain that user’s privilege on your SharePoint server. This means the attacker could view or change all the documents which that user could. The remaining issues include two information disclosure flaws and a URL redirection vulnerability attackers could leverage in spoofing attacks. See the “Vulnerability Information” security of the bulletin for more details.

Microsoft rating: Important

  • MS12-051: Office for Mac Elevation of Privilege Flaw

Office for Mac 2011 (the Apple OS X version of Microsoft’s productivity software) suffers from a vulnerability involving the way it sets folder permissions. If an attacker can gain physical access to your computer, plant a malicious executable in an Office folder, and then entice you to run it, the executable launches with your elevated privileges. Of course, if an attacker already has enough access to your computer to do all this, you already have significant problems. This flaw only poses a marginal risk.

Microsoft rating: Important

Solution Path

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

Attackers can exploit these vulnerabilities using diverse methods, including by placing files locally. Though you can configure WatchGuard appliances to block some of the Office documents related to a few of these attacks, and you can leverage our security services to mitigate the risk of malware delivered via these attacks, we cannot protect you against all these attacks, especially the local ones. We recommend you apply Microsoft’s patches to best protect your network.

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Word, Visio, and Excel Suffer from Document Handling Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Most current versions of Microsoft Office for Windows and Mac, and related products like Visio Viewer and the Office Compatibility Packs
  • How an attacker exploits them: Typically, by enticing you to open maliciously crafted Office documents
  • Impact: An attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Office patches as soon as possible, or let Windows Update do it for you.

Exposure:

Today, Microsoft released three security bulletins describing eight vulnerabilities specifically affecting Microsoft Office and its related components. Some of these issues affect Office running on either Windows or Mac computers, while others also affect components like the Office Compatibility Pack and Visio Viewer.

Microsoft also released a fourth Office-related bulletin (MS12-034), which affects many other Microsoft products as well. Since this fourth bulletin also affects Windows users, we will detail it in our upcoming Windows alert. If you use Office, you should also refer to this Windows bulletin, and apply its update as well.

Microsoft’s three Office-specific bulletins describe eight code execution vulnerabilities, all of which involve the way Office (and its related applications) handle different types of documents. These document-handling flaws differ technically, but share the same general scope and impact. If an attacker can entice one of your users to download and open a maliciously crafted Office document, she can exploit any of these vulnerabilities to execute code on that user’s computer, inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

The only difference of note between these flaws is which type of Office document attackers use to trigger them. The affected Office documents include Rich Text Files (RTF) opened in Word, Excel (XLS) documents, and Visio (VSD, VSS, etc.) files.

If you’d like to learn more about each individual flaw, drill into the “Vulnerability Details” section of the security bulletins listed below:

  • MS12-029: Word RTF Code Execution Vulnerability, rated Critical
  • MS12-030: Multiple Excel Code Execution Vulnerabilities, rated Important
  • MS12-031: Visio Viewer Code Execution Vulnerability, rated Important

Solution Path

Microsoft has released many updates to correct these vulnerabilities. If you use Office or any of the Office-related components mentioned in this alert, you should download, test, and deploy the appropriate patches as quickly as possible, or let Windows Update automatically install them for you.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find the various updates:

For All WatchGuard Users:

Many WatchGuard appliances can block incoming Office documents. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if Office documents are not absolutely necessary to your business, you may consider blocking them using our proxies, at least until you install these patches.

If you would like to use our XTM and Firebox appliance’s proxy policies to block the affected documents, follow the links below for general proxy instructions:

Status:

Microsoft has released Office updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: May Brings Windows, Office and .NET Patches

Microsoft has offered its May security updates to the masses. As expected, the theme this month seems to revolve around Office document parsing vulnerabilities. If you use Office in your network, you will want to apply these updates as soon as possible.

In their May security bulletin summary, Microsoft highlights seven security bulletins that fix 23 vulnerabilities in four primary products, including:

  • Windows
  • Office
  •  .NET Framework
  • Silverlight

They rate three of these bulletins as Critical, which typically means remote attackers can exploit them to gain control of affected computers.

The two most serious flaws appear to be a vulnerability in Word (MS12-029) involving the way it handles Rich Text Files (RTF), and ten flaws that affect Office, Windows, the .NET Framework, and Silverlight (MS12-034); many of which also have to do with how these products handle documents or fonts. I would apply these updates in the same order Microsoft recommends in their summary post.

I’ll share more details about these issues, and how to fix them, in consolidated alerts I’ll post here shortly.

[UPDATE] I mistakenly published an unfinished version of this post as I was writing it. This may have resulted in you receiving an email containing the incomplete post. I apologize for the confusion this may have caused, and the extra email.  — Corey Nachreiner, CISSP (@SecAdept)

Multiple Office Security Updates: One Affects Other Server Products

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office, Works, SQL Server, BizTalk Server 2002, Commerce Server, Visual FoxPro, and Visual Basic 6.0 Runtime
  • How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web site or link, and enticing them to open malicious Works files
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Microsoft Updates immediately, or let Windows Update do it for you.

Exposure:

Today, Microsoft released two Office-related security bulletins describing vulnerabilities found in Microsoft Office, and other productivity-related software. They rate one of the updates as Critical and the other as Important. Besides affecting Office, the Critical update also affects:

  • SQL Server (most versions)
  • BizTalk Server 2002
  • Commerce Server (all versions)
  • Visual FoxPro
  • Visual Basic Runtime

We summarize the two bulletins below:

  • MS12-027: Common Controls Remote Code Execution Vulnerability

Office (and many other Microsoft products listed above) ships with a set of ActiveX controls that Microsoft calls the Windows Common Controls (MSCOMCTL.OCX). Three of the controls in this ActiveX library suffer from an unspecified remote code execution vulnerability. By enticing one of your users to visit a malicious web page, or into clicking a specially crafted link, an attacker could exploit the flaw in these controls to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of his machine. Microsoft’s update sets the kill bit for the vulnerable ActiveX controls.  According to Microsoft, attackers are exploiting this vulnerability in the wild, in “limited targeted” attacks. This significantly increases the risk of this already serious vulnerability. You should apply this update immediately.

Microsoft rating: Critical.

  • MS12-028: Works Converter Document Parsing Vulnerability

Microsoft Works is a light-weight office productivity package similar to Microsoft Office, though with fewer features and capabilities. Microsoft Office and newer versions of Works ship with a Works converter component, which allows these products to open various Works documents. This Works converter suffers from a vulnerability involving the way it validates and parses Works .wps files. If an attacker can entice one of your users into downloading and opening a maliciously crafted .wps document, he can exploit this flaw to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. This flaw only affects Office 2007 w/SP2 and Works 9.

Microsoft rating: Important

Solution Path

Microsoft has released many product updates that correct these vulnerabilities. If you use any of the software mentioned in this alert, you should download, test, and deploy the appropriate patches as quickly as possible, or let Windows Update automatically install them for you.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

If you choose, you can configure the HTTP, SMTP, and FTP proxies on your XTM appliance to block Microsoft Works documents from entering your network, thus mitigating the risk of one these issues. Keep in mind, doing so blocks both legitimate and malicious Works files. If your business regularly transfers Works files outside your network, you may not want to block them with our appliance.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexadecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify the affected Works document (.wps):

File Extensions:

  • .wps – Works document

MIME types:

  • application/vnd.ms-works
  • application/x-msworks-wp
  • zz-application/zz-winassoc-wps

FILExt.com reported Magic Byte Pattern:

  • Hex: D0 CF 11 E0 A1 B1 1A E1 00

If you do decide you want to block Works files, the links below contain instructions that will help you configure your WatchGuard appliance’s content blocking features using the file and MIME information listed above.

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Microsoft Office Updates Correct Sharepoint and Visio Flaws

Summary:

  • These vulnerabilities affect: SharePoint, SharePoint Foundation, and Visio Viewer 2010, which are all part of Microsoft’s Office suite of products
  • How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web site or link, and enticing them to open malicious Visio files
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate SharePoint and Visio patches as soon as you can, or let Windows Update do it for you.

Exposure:

Yesterday, Microsoft released two Office-related  security bulletins describing eight vulnerabilities found in SharePoint, SharePoint Foundation, and Visio Viewer 2010 — all part of Microsoft’s Office suite of products. Microsoft rates both bulletins as Important. We summarize the bulletins below:

  • MS12-011: Three SharePoint XSS Vulnerabilities

SharePoint and SharePoint Foundation are Microsoft’s web and document collaboration and management platforms. They both suffer from three  Cross-Site Scripting vulnerabilities (XSS) that could allow an attacker to elevate his privileges. By enticing one of your users to visit a malicious web page or into clicking a specially crafted link, an attacker could exploit any of these flaws to gain that user’s privilege on your SharePoint server. This means the attacker could view or change all the documents which that user could. These flaws only affect the latest 2010 version of SharePoint.

Microsoft rating: Important.

  • MS12-015: Five Visio Viewer Memory Corruption Vulnerabilities

Microsoft Visio is a popular diagramming program, which many network administrators use to create network diagrams.  Visio Viewer is a free program that anyone can use to view those diagrams. Visio Viewer suffers from five code execution vulnerabilities, all involving the way it handles specially crafted Visio documents. Though the flaws differ technically, they share the same scope and impact. If an attacker can entice one of your users into downloading and opening a maliciously crafted Visio document, he can exploit any of these vulnerabilities to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. These flaws only affect Visio Viewer 2010, not the commercial Visio product.

Microsoft rating: Important

Solution Path

Microsoft has released SharePoint and SharePoint Foundation patches that correct these vulnerabilities. You should download, test, and deploy the appropriate SharePoint patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

If you choose, you can configure the HTTP, SMTP, and FTP proxies on your XTM appliance to block Microsoft Visio documents from entering your network. Keep in mind, doing so blocks both legitimate and malicious Visio files. If your business regularly transfers Visio files outside your network, you may not want to block them with our appliance. However, if you can block them, it will help mitigate the risk of the Visio Viewer vulnerabilities until you are able to patch.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify Visio files:

File Extensions:

  • .vsd – Visio Drawing files
  • .vst – Visio Template files
  • .vss – Visio Stencil files
  • .vdx – Visio XML Drawing files
  • .vtx  – Visio XML Template files
  • .vsx – Visio XML Stencil files

MIME types:

  • application/visio
  • application/x-visio
  • application/vnd.visio
  • application/visio.drawing
  • application/vsd
  • application/x-vsd
  • image/x-vsd
  • zz-application/zz-winassoc-vsd
  • application/x-visiotech

FILExt.com reported Magic Byte Pattern:

  • Hex: D0 CF 11 E0 A1 B1 1A E1 00

If you do decide you want to block Visio files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

Status:

Microsoft has released SharePoint and Visio updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Two Visio Document Parsing Vulnerabilities

Severity: Medium

10 August, 2011

Summary:

  • This vulnerability affects: All current versions of Microsoft Visio
  • How an attacker exploits it: By enticing one of your users into opening a maliciously crafted Visio document
  • Impact: An attacker can execute code, potentially gaining complete control of your users’ computers
  • What to do: Deploy the appropriate Visio patches as soon as possible, or let Windows Update do it for you

Exposure:

Microsoft Visio is a very popular diagramming application, which many administrators use to create network diagrams. It also ships with some Office packages.

In a security bulletin released yesterday, Microsoft describes two security vulnerabilities that affect all current versions of Visio. The vulnerabilities differ technically, but share the same scope and impact. They both involve flaws in how Visio parses Visio documents. If an attacker can entice one of your users into opening a specially crafted Visio file (such as .vsd, .vdx, .vst, or .vtx), he could exploit either of these flaws to execute code on that user’s computer with that user’s  privileges. If your user has administrative privileges, the attacker could gain complete control of their computer.

Solution Path:

Microsoft has released Visio patches to fix this flaw. You should download, test, and deploy the appropriate patches as soon as possible, or let Windows Update do it for you.

For All WatchGuard Users:

If the practice fits your business environment, you can use the HTTP, SMTP, and/or POP3 proxies to block Visio documents by extension (such as .vsd, .vdx, .vst, or .vtx). However, doing so blocks both malicious and legitimate file.

If you would like to use our proxies to block Visio documents, follow the links below for instructions:

Status:

Microsoft has released a fix.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

More alerts and articles: Log into the LiveSecurity Archive.

Follow

Get every new post delivered to your Inbox.

Join 7,672 other followers

%d bloggers like this: