• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • Daily Security Bytes
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Five Office Updates Primarily Patch Document Handling Vulnerabilities

December 13, 2011 By Corey Nachreiner

Summary:

  • These vulnerabilities affect: Most current versions of Microsoft Office for Windows and Mac, and related products like Publisher
  • How an attacker exploits them: Typically, by enticing you to open maliciously crafted Office documents
  • Impact: An attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Office patches as soon as possible, or let Windows Update do it for you.

Exposure:

Today, Microsoft released five security bulletins describing nine vulnerabilities found in Microsoft Office for Windows and Mac, including related products like Microsoft Publisher and other Office components. The specific affected Office applications and components include:

  • Word
  • Excel
  • Powerpoint
  • Publisher
  • the optional Office Input Method Editor (IME) for Pinyin Chinese

Four of the five Office bulletins describe various code execution vulnerabilities, which all involve the way Office, and its many applications, handle different types of documents. These document handling flaws differ technically, but share the same general scope and impact. By enticing one of your users into downloading and opening a maliciously crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on that user’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

The only difference of note between these flaws is which type of Office document attackers can use to trigger them. The affected Office document types include, Word, PowerPoint, Excel, and Publisher files.

The fifth Office security bulletin describes a slightly less severe security vulnerability that only affects a smaller subset of Office users. The flaw specifically lies in the optional Input Method Editor (IME) for Pinyin Chinese. IMEs are optional components that allows Latin keyboard users to type non-Latin characters in Office or Windows. Unfortunately, the Office IME for Pinyin Chinese suffers from an elevation of privilege (EoP) vulnerability. If an attacker can gain local access to your computer using valid Windows credentials, she could run a specially crafted program that would give her full SYSTEM-level privileges on your computer. Of course, the attack only affects those who’ve specifically installed the Pinyin Chinese Office IME, and the attacker must have a valid login to exploit the issue.

If you’d like to learn more about each individual flaw, drill into the “Vulnerability Details” section of the security bulletins listed below:

  • MS11-089: Office (Word) Code Execution Vulnerability, rated Important
  • MS11-091: Multiple Publisher Code Execution Vulnerabilities, rated Important
  • MS11-094: PowerPoint Code Execution Vulnerability, rated Important
  • MS11-096: Excel Code Execution Vulnerability, rated Important
  • MS11-088: Microsoft Office IME (Chinese) Elevation of Privilege Vulnerability, rated Important

Solution Path

Microsoft has released patches for Office to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network as soon as possible, or let Windows Automatic Update do it for you.

MS11-089:

  • Office 2007 (w/SP3)
  • Office 2010 (w/SP1)
  • Office 2010 (w/SP1) x64
  • Office for Mac 2011

MS11-091:

  • Publisher 2003 (w/SP3)
  • Publisher 2007 (w/SP3)

MS11-094:

PowerPoint for:

  • Office 2007 (w/SP3)
  • Office 2010 (w/SP1)
  • Office 2010 (w/SP1) x64
  • Office 2008 for Mac
  • Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats
  • PowerPoint Viewer 2007

MS11-096:

Excel for:

  • Office 2003 (w/SP3)
  • Office 2004 for Mac

MS11-088:

  • Microsoft Pinyin IME 2010
  • Microsoft Pinyin IME 2010 (64-bit)
  • Office Pinyin SimpleFast Style 2010 and New Experience Style 2010
  • Office Pinyin SimpleFast Style 2010 and New Experience Style 2010 (64-bit)

For All WatchGuard Users:

Many WatchGuard appliances can block incoming Office documents. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if Office documents are not absolutely necessary to your business, you may consider blocking them using our proxies, at least until  you install these patches.

If you would like to use our XTM and Firebox appliance’s proxy policies to block the affected documents, follow the links below for general instructions:

  • XTM Appliance with WSM 11.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP Proxy?
  • Firebox X Edge running 10.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP proxy
  • Firebox X Core and X Peak running Fireware 10.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP proxy?

Status:

Microsoft has released Office updates to fix these vulnerabilities.

References:

  • MS Security Bulletin MS11-088
  • MS Security Bulletin MS11-089
  • MS Security Bulletin MS11-091
  • MS Security Bulletin MS11-094
  • MS Security Bulletin MS11-096

This alert was researched and written by Corey Nachreiner, CISSP.

Share This:

Related

Filed Under: Security Bytes Tagged With: excel, IME, Microsoft, PowerPoint, publisher, Updates and patches

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • USA’s Answer to GDPR
  • Rolling PWN

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Hacker Summer Camp 2022
  • Private Sector Offensive Actors
  • USA’s Answer to GDPR
  • Rolling PWN
  • Over a Billion Records Leaked in Shanghai National Police Database Hack
View All

Search

Archives

Copyright © 2022 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use