• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Multiple Office Security Updates: One Affects Other Server Products

April 10, 2012 By Corey Nachreiner

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office, Works, SQL Server, BizTalk Server 2002, Commerce Server, Visual FoxPro, and Visual Basic 6.0 Runtime
  • How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web site or link, and enticing them to open malicious Works files
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Microsoft Updates immediately, or let Windows Update do it for you.

Exposure:

Today, Microsoft released two Office-related security bulletins describing vulnerabilities found in Microsoft Office, and other productivity-related software. They rate one of the updates as Critical and the other as Important. Besides affecting Office, the Critical update also affects:

  • SQL Server (most versions)
  • BizTalk Server 2002
  • Commerce Server (all versions)
  • Visual FoxPro
  • Visual Basic Runtime

We summarize the two bulletins below:

  • MS12-027: Common Controls Remote Code Execution Vulnerability

Office (and many other Microsoft products listed above) ships with a set of ActiveX controls that Microsoft calls the Windows Common Controls (MSCOMCTL.OCX). Three of the controls in this ActiveX library suffer from an unspecified remote code execution vulnerability. By enticing one of your users to visit a malicious web page, or into clicking a specially crafted link, an attacker could exploit the flaw in these controls to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of his machine. Microsoft’s update sets the kill bit for the vulnerable ActiveX controls.  According to Microsoft, attackers are exploiting this vulnerability in the wild, in “limited targeted” attacks. This significantly increases the risk of this already serious vulnerability. You should apply this update immediately.

Microsoft rating: Critical.

  • MS12-028: Works Converter Document Parsing Vulnerability

Microsoft Works is a light-weight office productivity package similar to Microsoft Office, though with fewer features and capabilities. Microsoft Office and newer versions of Works ship with a Works converter component, which allows these products to open various Works documents. This Works converter suffers from a vulnerability involving the way it validates and parses Works .wps files. If an attacker can entice one of your users into downloading and opening a maliciously crafted .wps document, he can exploit this flaw to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. This flaw only affects Office 2007 w/SP2 and Works 9.

Microsoft rating: Important

Solution Path

Microsoft has released many product updates that correct these vulnerabilities. If you use any of the software mentioned in this alert, you should download, test, and deploy the appropriate patches as quickly as possible, or let Windows Update automatically install them for you.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

  • MS12-027
  • MS12-028

For All WatchGuard Users:

If you choose, you can configure the HTTP, SMTP, and FTP proxies on your XTM appliance to block Microsoft Works documents from entering your network, thus mitigating the risk of one these issues. Keep in mind, doing so blocks both legitimate and malicious Works files. If your business regularly transfers Works files outside your network, you may not want to block them with our appliance.

Our proxies offer many ways for you to block files and content, including by file extension,  MIME type, or by using very specific hexadecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify the affected Works document (.wps):

File Extensions:

  • .wps – Works document

MIME types:

  • application/vnd.ms-works
  • application/x-msworks-wp
  • zz-application/zz-winassoc-wps

FILExt.com reported Magic Byte Pattern:

  • Hex: D0 CF 11 E0 A1 B1 1A E1 00

If you do decide you want to block Works files, the links below contain instructions that will help you configure your WatchGuard appliance’s content blocking features using the file and MIME information listed above.

  • XTM Appliance with WSM 11.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP Proxy?
  • Firebox X Edge running 10.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP proxy
  • Firebox X Core and X Peak running Fireware 10.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP proxy?

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

  • MS Security Bulletin MS12-027
  • MS Security Bulletin MS12-028

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Share This:

Related

Filed Under: Security Bytes Tagged With: microsoft office, sharepoint, visio

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use