Five Office Updates Primarily Patch Document Handling Vulnerabilities

Summary:

• These vulnerabilities affect: Most current versions of Microsoft Office for Windows and Mac, and related products like Publisher
• How an attacker exploits them: Typically, by enticing you to open maliciously crafted Office documents
• Impact: An attacker can execute code, potentially gaining complete control of your computer
• What to do: Install the appropriate Office patches as soon as possible, or let Windows Update do it for you.

Exposure:

Today, Microsoft released five security bulletins describing nine vulnerabilities found in Microsoft Office for Windows and Mac, including related products like Microsoft Publisher and other Office components. The specific affected Office applications and components include:

• Word
• Excel
• Powerpoint
• Publisher
• the optional Office Input Method Editor (IME) for Pinyin Chinese

Four of the five Office bulletins describe various code execution vulnerabilities, which all involve the way Office, and its many applications, handle different types of documents. These document handling flaws differ technically, but share the same general scope and impact. By enticing one of your users into downloading and opening a maliciously crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on that user’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

The only difference of note between these flaws is which type of Office document attackers can use to trigger them. The affected Office document types include, Word, PowerPoint, Excel, and Publisher files.

The fifth Office security bulletin describes a slightly less severe security vulnerability that only affects a smaller subset of Office users. The flaw specifically lies in the optional Input Method Editor (IME) for Pinyin Chinese. IMEs are optional components that allows Latin keyboard users to type non-Latin characters in Office or Windows. Unfortunately, the Office IME for Pinyin Chinese suffers from an elevation of privilege (EoP) vulnerability. If an attacker can gain local access to your computer using valid Windows credentials, she could run a specially crafted program that would give her full SYSTEM-level privileges on your computer. Of course, the attack only affects those who’ve specifically installed the Pinyin Chinese Office IME, and the attacker must have a valid login to exploit the issue.

If you’d like to learn more about each individual flaw, drill into the “Vulnerability Details” section of the security bulletins listed below:

• MS11-089: Office (Word) Code Execution Vulnerability, rated Important
• MS11-091: Multiple Publisher Code Execution Vulnerabilities, rated Important
• MS11-094: PowerPoint Code Execution Vulnerability, rated Important
• MS11-096: Excel Code Execution Vulnerability, rated Important
• MS11-088: Microsoft Office IME (Chinese) Elevation of Privilege Vulnerability, rated Important

Solution Path

Microsoft has released patches for Office to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network as soon as possible, or let Windows Automatic Update do it for you.

MS11-089:

• Office 2007 (w/SP3)
• Office 2010 (w/SP1)
• Office 2010 (w/SP1) x64
• Office for Mac 2011

For All WatchGuard Users:

Many WatchGuard appliances can block incoming Office documents. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if Office documents are not absolutely necessary to your business, you may consider blocking them using our proxies, at least until  you install these patches.

If you would like to use our XTM and Firebox appliance’s proxy policies to block the affected documents, follow the links below for general instructions:

• XTM Appliance with WSM 11.x
• How do I block files with the FTP proxy?
• How do I block files with the HTTP proxy?
• How do I block files with the POP3 proxy?
• How do I block files with the SMTP Proxy?

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy

• Firebox X Core and X Peak running Fireware 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy?

Status:

Microsoft has released Office updates to fix these vulnerabilities.

References:

• MS Security Bulletin MS11-088
• MS Security Bulletin MS11-089
• MS Security Bulletin MS11-091
• MS Security Bulletin MS11-094
• MS Security Bulletin MS11-096

This alert was researched and written by Corey Nachreiner, CISSP.