• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Microsoft Office Updates Correct Sharepoint and Visio Flaws

February 15, 2012 By Corey Nachreiner

Summary:

  • These vulnerabilities affect: SharePoint, SharePoint Foundation, and Visio Viewer 2010, which are all part of Microsoft’s Office suite of products
  • How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web site or link, and enticing them to open malicious Visio files
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate SharePoint and Visio patches as soon as you can, or let Windows Update do it for you.

Exposure:

Yesterday, Microsoft released two Office-related  security bulletins describing eight vulnerabilities found in SharePoint, SharePoint Foundation, and Visio Viewer 2010 — all part of Microsoft’s Office suite of products. Microsoft rates both bulletins as Important. We summarize the bulletins below:

  • MS12-011: Three SharePoint XSS Vulnerabilities

SharePoint and SharePoint Foundation are Microsoft’s web and document collaboration and management platforms. They both suffer from three  Cross-Site Scripting vulnerabilities (XSS) that could allow an attacker to elevate his privileges. By enticing one of your users to visit a malicious web page or into clicking a specially crafted link, an attacker could exploit any of these flaws to gain that user’s privilege on your SharePoint server. This means the attacker could view or change all the documents which that user could. These flaws only affect the latest 2010 version of SharePoint.

Microsoft rating: Important.

  • MS12-015: Five Visio Viewer Memory Corruption Vulnerabilities

Microsoft Visio is a popular diagramming program, which many network administrators use to create network diagrams.  Visio Viewer is a free program that anyone can use to view those diagrams. Visio Viewer suffers from five code execution vulnerabilities, all involving the way it handles specially crafted Visio documents. Though the flaws differ technically, they share the same scope and impact. If an attacker can entice one of your users into downloading and opening a maliciously crafted Visio document, he can exploit any of these vulnerabilities to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. These flaws only affect Visio Viewer 2010, not the commercial Visio product.

Microsoft rating: Important

Solution Path

Microsoft has released SharePoint and SharePoint Foundation patches that correct these vulnerabilities. You should download, test, and deploy the appropriate SharePoint patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

  • MS12-011
  • MS12-015

For All WatchGuard Users:

If you choose, you can configure the HTTP, SMTP, and FTP proxies on your XTM appliance to block Microsoft Visio documents from entering your network. Keep in mind, doing so blocks both legitimate and malicious Visio files. If your business regularly transfers Visio files outside your network, you may not want to block them with our appliance. However, if you can block them, it will help mitigate the risk of the Visio Viewer vulnerabilities until you are able to patch.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify Visio files:

File Extensions:

  • .vsd – Visio Drawing files
  • .vst – Visio Template files
  • .vss – Visio Stencil files
  • .vdx – Visio XML Drawing files
  • .vtx  – Visio XML Template files
  • .vsx – Visio XML Stencil files

MIME types:

  • application/visio
  • application/x-visio
  • application/vnd.visio
  • application/visio.drawing
  • application/vsd
  • application/x-vsd
  • image/x-vsd
  • zz-application/zz-winassoc-vsd
  • application/x-visiotech

FILExt.com reported Magic Byte Pattern:

  • Hex: D0 CF 11 E0 A1 B1 1A E1 00

If you do decide you want to block Visio files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

  • XTM Appliance with WSM 11.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP Proxy?
  • Firebox X Edge running 10.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP proxy
  • Firebox X Core and X Peak running Fireware 10.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP proxy?

Status:

Microsoft has released SharePoint and Visio updates to fix these vulnerabilities.

References:

  • MS Security Bulletin MS12-011
  • MS Security Bulletin MS12-015

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Share This:

Related

Filed Under: Security Bytes Tagged With: microsoft office, sharepoint, visio

Comments

  1. Vanessa says

    February 26, 2012 at 8:24 am

    Sharepoint and Visio Flaws still has a debug errors 🙁

    Reply
  2. Hum Badal Gaye says

    July 30, 2013 at 2:47 pm

    What’s up colleagues, how is the whole thing, and what you want to say concerning this paragraph, in my view its actually remarkable designed for me.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use