Office Document Parsing Problems Cause a Predicament

Severity: High

13 September, 2011

Summary:

• These vulnerabilities affect: Most current versions of Microsoft Office and its components, as well as Office SharePoint and Groove servers and products.
• How an attacker exploits it: Typically by enticing one of your users to open a malicious Office document
• Impact: In the worst case, an attacker executes code on your user’s computer, gaining complete control of it
• What to do: Install Microsoft Office updates as soon as possible, or let Microsoft’s automatic update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released three security bulletins describing flaws in Office and it’s components, as well as vulnerabilities in the Office SharePoint and Groove servers and products.

Two of the three bulletins describe seven document handling vulnerabilities found in Office and Excel for Windows or Mac. Though technically different, all of these document handling vulnerabilities share the same general scope and impact.  If an attacker can entice one of your users into downloading and opening a maliciously crafted Office document, he can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

According to Microsoft’s bulletins, an attacker can exploit these flaws using many different types of Office documents, including Excel, Word, and PowerPoint files. Also, some of these issues involve the insecure DLL loading vulnerability that Microsoft has contended with the past year. In those cases, an attacker would have to entice your user to open a document in the same location as a malicious DLL file; somewhat mitigating the risk of the attack.

If you’d like to learn more about the individual document handling flaws, drill into the “Vulnerability Details” section of the security bulletins listed below:

• MS11-072: Five Excel Code Execution Vulnerabilities, rated Important
• MS11-073: Two Office Code Execution Vulnerabilities, rated Important

Microsoft also released a security bulletin detailing six vulnerabilities affecting their SharePoint, Groove, and Forms products. Most of the six flaws are Cross-Site Scripting (XSS) vulnerabilities, which allow attackers to elevate their privileges. More specifically, the attacker might leverage these flaws to execute scripts, launch commands, or perform operations under the context of an authenticated SharePoint victim. Of course, the attacker would have to entice his victim into clicking a specially crafted link or URL for this sort of attack to succeed.

Solution Path

Microsoft has released patches for Office, and the SharePoint and Groove products, to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately, or let the Microsoft Automatic Update feature do it for you. For simplicity sake, we highly recommend letting Windows update select the updates you need if possible.

MS11-072:

Updates for:

• Office 2003 w/SP3
• Office 2007 w/SP2
• KB2553073
• KB2553089
• KB2553090
• Office 2010 32-bit
  • KB2553070
  • KB2553091
  • KB2553096
• Office 2010 64-bit
  • KB2553070
  • KB2553091
  • KB2553096

• Office 2004  for Mac
• Office 2008  for Mac
• Office for Mac 2011
• Open XML File Format Converter for Mac

• Excel Viewer
• Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats

• Excel Services for SharePoint Server 2007
• 32-bit
• 64-bit
• Excel Services for SharePoint Server 2010
• Office Web Apps 2010

MS11-073:

• Office 2003 w/SP3
• Office 2007 w/SP2
• Office 2010 w/SP1 (32-bit)
• Office 2010 w/SP1 (64-bit)

MS11-074:

Due to the complex selection of  update, we recommend you see the “Affected Software” section of Microsoft’s SharePoint and Groove bulletin to find the appropriate set of patches you need to apply. Better yet, Microsoft’s automatic update can apply the correct set of updates for you.

For All WatchGuard Users:

While you can configure certain WatchGuard Firebox models to block Microsoft Office documents, most organizations need to allow them in order to conduct business. Therefore, the patches above are your best recourse.

That said, if you want to block Office documents, you can use the HTTP, SMTP, and/or POP3 proxies to block documents by extension (such as .xls, .doc, .ppt, etc…). However, doing so blocks both malicious and legitimate file.

If you would like to use our proxies to block Office documents, follow the links below for instructions:

• XTM Appliance with WSM 11.x
• How do I block files with the FTP proxy?
• How do I block files with the HTTP proxy?
• How do I block files with the POP3 proxy?
• How do I block files with the SMTP Proxy?

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy

• Firebox X Core and X Peak running Fireware 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy?

Status:

Microsoft has released Office updates to fix these vulnerabilities.

References:

• MS Security Bulletin MS11-072
• MS Security Bulletin MS11-073
• MS Security Bulletin MS11-074

This alert was researched and written by Corey Nachreiner, CISSP.