Severity: High
Summary:
- These vulnerabilities affect: Most current versions of Microsoft Office for Windows and Mac, and related products like Visio Viewer and the Office Compatibility Packs
- How an attacker exploits them: Typically, by enticing you to open maliciously crafted Office documents
- Impact: An attacker can execute code, potentially gaining complete control of your computer
- What to do: Install the appropriate Office patches as soon as possible, or let Windows Update do it for you.
Exposure:
Today, Microsoft released three security bulletins describing eight vulnerabilities specifically affecting Microsoft Office and its related components. Some of these issues affect Office running on either Windows or Mac computers, while others also affect components like the Office Compatibility Pack and Visio Viewer.
Microsoft also released a fourth Office-related bulletin (MS12-034), which affects many other Microsoft products as well. Since this fourth bulletin also affects Windows users, we will detail it in our upcoming Windows alert. If you use Office, you should also refer to this Windows bulletin, and apply its update as well.
Microsoft’s three Office-specific bulletins describe eight code execution vulnerabilities, all of which involve the way Office (and its related applications) handle different types of documents. These document-handling flaws differ technically, but share the same general scope and impact. If an attacker can entice one of your users to download and open a maliciously crafted Office document, she can exploit any of these vulnerabilities to execute code on that user’s computer, inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.
The only difference of note between these flaws is which type of Office document attackers use to trigger them. The affected Office documents include Rich Text Files (RTF) opened in Word, Excel (XLS) documents, and Visio (VSD, VSS, etc.) files.
If you’d like to learn more about each individual flaw, drill into the “Vulnerability Details” section of the security bulletins listed below:
- MS12-029: Word RTF Code Execution Vulnerability, rated Critical
- MS12-030: Multiple Excel Code Execution Vulnerabilities, rated Important
- MS12-031: Visio Viewer Code Execution Vulnerability, rated Important
Solution Path
Microsoft has released many updates to correct these vulnerabilities. If you use Office or any of the Office-related components mentioned in this alert, you should download, test, and deploy the appropriate patches as quickly as possible, or let Windows Update automatically install them for you.
The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find the various updates:
For All WatchGuard Users:
Many WatchGuard appliances can block incoming Office documents. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if Office documents are not absolutely necessary to your business, you may consider blocking them using our proxies, at least until you install these patches.
If you would like to use our XTM and Firebox appliance’s proxy policies to block the affected documents, follow the links below for general proxy instructions:
- XTM Appliance with WSM 11.x
- Firebox X Edge running 10.x
- Firebox X Core and X Peak running Fireware 10.x
Status:
Microsoft has released Office updates to fix these vulnerabilities.
References:
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).