• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Office Document Parsing Problems Cause a Predicament

September 13, 2011 By Corey Nachreiner

Severity: High

13 September, 2011

Summary:

  • These vulnerabilities affect: Most current versions of Microsoft Office and its components, as well as Office SharePoint and Groove servers and products.
  • How an attacker exploits it: Typically by enticing one of your users to open a malicious Office document
  • Impact: In the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Install Microsoft Office updates as soon as possible, or let Microsoft’s automatic update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released three security bulletins describing flaws in Office and it’s components, as well as vulnerabilities in the Office SharePoint and Groove servers and products.

Two of the three bulletins describe seven document handling vulnerabilities found in Office and Excel for Windows or Mac. Though technically different, all of these document handling vulnerabilities share the same general scope and impact.  If an attacker can entice one of your users into downloading and opening a maliciously crafted Office document, he can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

According to Microsoft’s bulletins, an attacker can exploit these flaws using many different types of Office documents, including Excel, Word, and PowerPoint files. Also, some of these issues involve the insecure DLL loading vulnerability that Microsoft has contended with the past year. In those cases, an attacker would have to entice your user to open a document in the same location as a malicious DLL file; somewhat mitigating the risk of the attack.

If you’d like to learn more about the individual document handling flaws, drill into the “Vulnerability Details” section of the security bulletins listed below:

  • MS11-072: Five Excel Code Execution Vulnerabilities, rated Important
  • MS11-073: Two Office Code Execution Vulnerabilities, rated Important

Microsoft also released a security bulletin detailing six vulnerabilities affecting their SharePoint, Groove, and Forms products. Most of the six flaws are Cross-Site Scripting (XSS) vulnerabilities, which allow attackers to elevate their privileges. More specifically, the attacker might leverage these flaws to execute scripts, launch commands, or perform operations under the context of an authenticated SharePoint victim. Of course, the attacker would have to entice his victim into clicking a specially crafted link or URL for this sort of attack to succeed.

Solution Path

Microsoft has released patches for Office, and the SharePoint and Groove products, to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately, or let the Microsoft Automatic Update feature do it for you. For simplicity sake, we highly recommend letting Windows update select the updates you need if possible.

MS11-072:

Updates for:

  • Office 2003 w/SP3
  • Office 2007 w/SP2
    • KB2553073
    • KB2553089
    • KB2553090
  • Office 2010 32-bit
    • KB2553070
    • KB2553091
    • KB2553096
  • Office 2010 64-bit
    • KB2553070
    • KB2553091
    • KB2553096
  • Office 2004  for Mac
  • Office 2008  for Mac
  • Office for Mac 2011
  • Open XML File Format Converter for Mac
  • Excel Viewer
  • Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats
  • Excel Services for SharePoint Server 2007
    • 32-bit
    • 64-bit
  • Excel Services for SharePoint Server 2010
  • Office Web Apps 2010

MS11-073:

  • Office 2003 w/SP3
  • Office 2007 w/SP2
  • Office 2010 w/SP1 (32-bit)
  • Office 2010 w/SP1 (64-bit)

MS11-074:

Due to the complex selection of  update, we recommend you see the “Affected Software” section of Microsoft’s SharePoint and Groove bulletin to find the appropriate set of patches you need to apply. Better yet, Microsoft’s automatic update can apply the correct set of updates for you.

For All WatchGuard Users:

While you can configure certain WatchGuard Firebox models to block Microsoft Office documents, most organizations need to allow them in order to conduct business. Therefore, the patches above are your best recourse.

That said, if you want to block Office documents, you can use the HTTP, SMTP, and/or POP3 proxies to block documents by extension (such as .xls, .doc, .ppt, etc…). However, doing so blocks both malicious and legitimate file.

If you would like to use our proxies to block Office documents, follow the links below for instructions:

  • XTM Appliance with WSM 11.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP Proxy?
  • Firebox X Edge running 10.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP proxy
  • Firebox X Core and X Peak running Fireware 10.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP proxy?

Status:

Microsoft has released Office updates to fix these vulnerabilities.

References:

  • MS Security Bulletin MS11-072
  • MS Security Bulletin MS11-073
  • MS Security Bulletin MS11-074

This alert was researched and written by Corey Nachreiner, CISSP.

Share This:

Related

Filed Under: Security Bytes Tagged With: excel, Microsoft, sharepoint; groove, Updates and patches

Comments

  1. SEO says

    March 21, 2014 at 3:49 am

    Howdy! I just want to give an enormous thumbs up for the nice information you¡¦ve got here on this
    post. I shall be coming back to your weblog for extra soon.

    Reply
  2. 新聞 widget says

    March 26, 2014 at 9:33 pm

    Excellent post. I was checking continuously this blog and I am impressed!

    Very useful info specially the last part 🙂 I care for such information much.
    I was seeking this particular info for a long time.
    Thank you and best of luck.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • An Update on Section 230

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use