• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Word, Visio, and Excel Suffer from Document Handling Vulnerabilities

May 8, 2012 By Corey Nachreiner

Severity: High

Summary:

  • These vulnerabilities affect: Most current versions of Microsoft Office for Windows and Mac, and related products like Visio Viewer and the Office Compatibility Packs
  • How an attacker exploits them: Typically, by enticing you to open maliciously crafted Office documents
  • Impact: An attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Office patches as soon as possible, or let Windows Update do it for you.

Exposure:

Today, Microsoft released three security bulletins describing eight vulnerabilities specifically affecting Microsoft Office and its related components. Some of these issues affect Office running on either Windows or Mac computers, while others also affect components like the Office Compatibility Pack and Visio Viewer.

Microsoft also released a fourth Office-related bulletin (MS12-034), which affects many other Microsoft products as well. Since this fourth bulletin also affects Windows users, we will detail it in our upcoming Windows alert. If you use Office, you should also refer to this Windows bulletin, and apply its update as well.

Microsoft’s three Office-specific bulletins describe eight code execution vulnerabilities, all of which involve the way Office (and its related applications) handle different types of documents. These document-handling flaws differ technically, but share the same general scope and impact. If an attacker can entice one of your users to download and open a maliciously crafted Office document, she can exploit any of these vulnerabilities to execute code on that user’s computer, inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

The only difference of note between these flaws is which type of Office document attackers use to trigger them. The affected Office documents include Rich Text Files (RTF) opened in Word, Excel (XLS) documents, and Visio (VSD, VSS, etc.) files.

If you’d like to learn more about each individual flaw, drill into the “Vulnerability Details” section of the security bulletins listed below:

  • MS12-029: Word RTF Code Execution Vulnerability, rated Critical
  • MS12-030: Multiple Excel Code Execution Vulnerabilities, rated Important
  • MS12-031: Visio Viewer Code Execution Vulnerability, rated Important

Solution Path

Microsoft has released many updates to correct these vulnerabilities. If you use Office or any of the Office-related components mentioned in this alert, you should download, test, and deploy the appropriate patches as quickly as possible, or let Windows Update automatically install them for you.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find the various updates:

  • MS12-029 – Office and Word Updates
  • MS12-030 – Office and Excel Updates
  • MS12-031 – Visio Viewer Updates

For All WatchGuard Users:

Many WatchGuard appliances can block incoming Office documents. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if Office documents are not absolutely necessary to your business, you may consider blocking them using our proxies, at least until you install these patches.

If you would like to use our XTM and Firebox appliance’s proxy policies to block the affected documents, follow the links below for general proxy instructions:

  • XTM Appliance with WSM 11.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP Proxy?
  • Firebox X Edge running 10.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP proxy
  • Firebox X Core and X Peak running Fireware 10.x
    • How do I block files with the FTP proxy?
    • How do I block files with the HTTP proxy?
    • How do I block files with the POP3 proxy?
    • How do I block files with the SMTP proxy?

Status:

Microsoft has released Office updates to fix these vulnerabilities.

References:

  • MS Security Bulletin MS12-029
  • MS Security Bulletin MS12-030
  • MS Security Bulletin MS12-031

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Share This:

Related

Filed Under: Security Bytes Tagged With: excel, Microsoft, RTF, Updates and patches, visio, word

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use