13 September, 2011
- These vulnerabilities affect: Most current versions of Microsoft Office and its components, as well as Office SharePoint and Groove servers and products.
- How an attacker exploits it: Typically by enticing one of your users to open a malicious Office document
- Impact: In the worst case, an attacker executes code on your user’s computer, gaining complete control of it
- What to do: Install Microsoft Office updates as soon as possible, or let Microsoft’s automatic update do it for you
As part of today’s Patch Day, Microsoft released three security bulletins describing flaws in Office and it’s components, as well as vulnerabilities in the Office SharePoint and Groove servers and products.
Two of the three bulletins describe seven document handling vulnerabilities found in Office and Excel for Windows or Mac. Though technically different, all of these document handling vulnerabilities share the same general scope and impact. If an attacker can entice one of your users into downloading and opening a maliciously crafted Office document, he can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.
According to Microsoft’s bulletins, an attacker can exploit these flaws using many different types of Office documents, including Excel, Word, and PowerPoint files. Also, some of these issues involve the insecure DLL loading vulnerability that Microsoft has contended with the past year. In those cases, an attacker would have to entice your user to open a document in the same location as a malicious DLL file; somewhat mitigating the risk of the attack.
If you’d like to learn more about the individual document handling flaws, drill into the “Vulnerability Details” section of the security bulletins listed below:
- MS11-072: Five Excel Code Execution Vulnerabilities, rated Important
- MS11-073: Two Office Code Execution Vulnerabilities, rated Important
Microsoft also released a security bulletin detailing six vulnerabilities affecting their SharePoint, Groove, and Forms products. Most of the six flaws are Cross-Site Scripting (XSS) vulnerabilities, which allow attackers to elevate their privileges. More specifically, the attacker might leverage these flaws to execute scripts, launch commands, or perform operations under the context of an authenticated SharePoint victim. Of course, the attacker would have to entice his victim into clicking a specially crafted link or URL for this sort of attack to succeed.
Microsoft has released patches for Office, and the SharePoint and Groove products, to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately, or let the Microsoft Automatic Update feature do it for you. For simplicity sake, we highly recommend letting Windows update select the updates you need if possible.
- Office 2003 w/SP3
- Office 2007 w/SP2
- Office 2010 32-bit
- Office 2010 64-bit
- Excel Services for SharePoint Server 2007
- Excel Services for SharePoint Server 2010
- Office Web Apps 2010
Due to the complex selection of update, we recommend you see the “Affected Software” section of Microsoft’s SharePoint and Groove bulletin to find the appropriate set of patches you need to apply. Better yet, Microsoft’s automatic update can apply the correct set of updates for you.
For All WatchGuard Users:
While you can configure certain WatchGuard Firebox models to block Microsoft Office documents, most organizations need to allow them in order to conduct business. Therefore, the patches above are your best recourse.
That said, if you want to block Office documents, you can use the HTTP, SMTP, and/or POP3 proxies to block documents by extension (such as .xls, .doc, .ppt, etc…). However, doing so blocks both malicious and legitimate file.
If you would like to use our proxies to block Office documents, follow the links below for instructions:
- XTM Appliance with WSM 11.x
- Firebox X Edge running 10.x
- Firebox X Core and X Peak running Fireware 10.x
Microsoft has released Office updates to fix these vulnerabilities.
This alert was researched and written by Corey Nachreiner, CISSP.