Summary:
- These vulnerabilities affect: Microsoft Office 2002, 2003, and 2007 (Windows only) or the components that ship with it
- How an attacker exploits them: Multiple vectors of attack, including enticing your users to a malicious website, or into opening a malicious attachment.
- Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.
Exposure:
Today, Microsoft released two security bulletins describing three vulnerabilities that affect the Windows versions of Microsoft Office 2002, 2003, and 2007 or components that ship with it. Each vulnerability affects Office components to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.
- MS10-044: Various Office ActiveX Control Code Execution Vulnerabilities
ActiveX controls are essentially small programs, often shared between applications, that work behind the scenes performing minor tasks on Windows-based computers. They are kind of like Microsoft-only Java applets. Many Microsoft applications, including Office, ship with many different ActiveX controls for performing various tasks For instance, Microsoft Office installs an ActiveX control (common to both Outlook and IE) that allows elements of your Outlook environment, such as your calendar or email messages, to be viewed as a web page.
Unfortunately, some of the ActiveX controls that ship with Office 2003 and 2007 Microsoft Office System suffer from two vulnerabilities involving the way these control handle memory. While the flaws differ technically, they share the same end result. If an attacker can entice one of your users into visiting a maliciously crafted web page, he can exploit either of these vulnerabilities to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine.
Microsoft rating: Critical.
- MS10-045: Outlook Attachment Code Execution Vulnerability
Outlook suffers from a code execution vulnerability due to its inability to handle attachments that are attached to an email in a particular way. Microsoft’s bulletin doesn’t describe exactly what type of attachment causes the issue. The flaws lies more in how the attachment is attached (using the ATTACH_BY_REFERENCE value of the PR_ATTACH_METHOD property), rather than what type of attachment it is. In any case, by enticing one of your users into opening an attachment from a specially crafted email, an attacker can exploit this flaw to execute code on your user’s computer, with that user’s privileges. Since most Windows users have local administrative privileges, the attacker would likely gain full control of your user’s computer.
Microsoft rating: Important.
Solution Path:
Microsoft has released patches that correct all of these Office related vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.
MS10-045:
Outlook update for:
Does My Firewall Help?
Attackers can exploit these flaws using diverse exploitation methods, such as luring you to a seemingly normal website or opening an unspecified attachment. Therefore, installing Microsoft’s updates is your most secure course of action. That said, in general, we recommend you train your users to avoid opening any unsolicited attachment.
Status:
Microsoft has released patches correcting these issues.