• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

One Critical and Two Important Microsoft Office Updates

August 14, 2012 By Corey Nachreiner

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office, Visio, SQL Server, Commerce Server, Host Integration Server 2004, Visual FoxPro, and Visual Basic 6.0 Runtime
  • How an attacker exploits them: Multiple vectors of attack, including luring your users into opening malicious Office documents, or into visiting web sites with malicious content
  • Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released three Office-related security bulletins describing vulnerabilities found in Microsoft Office, Visio, and other productivity-related software. They rate one of the updates as Critical and the others as Important.

Besides affecting Office, the Critical update also affects:

  • SQL Server (most versions)
  • Commerce Server (all versions)
  • Host Integration Server 2004
  • Visual FoxPro
  • Visual Basic Runtime

We summarize the three bulletins below:

  • MS12-060: Common Controls Remote Code Execution Vulnerability

Office (and many other Microsoft products listed above) ships with a set of ActiveX controls that Microsoft calls the Windows Common Controls (MSCOMCTL.OCX). One of the ActiveX controls in this library suffers from an unspecified remote code execution vulnerability. By enticing one of your users to visit a malicious web page, or into clicking a specially crafted link, an attacker could exploit this flaw to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of his machine. Microsoft’s update sets the kill bit for the vulnerable ActiveX control.

According to Microsoft, attackers are exploiting this vulnerability in the wild, in “limited targeted” attacks. This significantly increases the risk of this already serious vulnerability. You should apply this update immediately.

Microsoft rating: Critical.

  • MS12-057: CGM File Memory Corruption Vulnerability 

Computer Graphics Metafiles (CGM) are text-based file representations of 2D vector or raster graphics. Though few people actually use CGM files today, Microsoft Office still supports this legacy file type.

According to the bulletin, Office suffers from an unspecified memory corruption vulnerability involving the way it handles CGM files. By enticing one of your users into opening a CGM file, or into opening an Office document containing an embedded CGM file, an attacker can exploit this flaw to execute code on that user’s computer, with the user’s privileges. If your users have local administrative rights, the attacker gains complete control of the computer.

Microsoft rating: Important

  • MS12-059: Visio DXF Buffer Overflow Vulnerability

Microsoft Visio is a popular diagramming program, which many network administrators use to create network diagrams. Visio Viewer is a free program that anyone can use to view those diagrams.

Visio and Visio Viewer suffer from a buffer overflow vulnerability involving the way they handle a specific type of specially crafted Visio document, called a DXF file. If an attacker can entice one of your users into downloading and opening a maliciously crafted DXF file, he can exploit this flaw to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. This flaw only affects Visio and Visio Viewer 2010.

Microsoft rating: Important

Solution Path

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

  • MS12-060
  • MS12-057
  • MS12-059

For All WatchGuard Users:

Many of WatchGuard’s security appliances can help mitigate the risk of some of these attacks. For instance, you can configure WatchGuard appliances to block the Office documents related to a few of these attacks (such as DOC, XLS, and DXF files) and you can leverage our security services to mitigate the risk of malware delivered via these attacks.

However, most administrators prefer to allow Office documents into their network, and our appliances cannot protect you against all avenues attacks, especially local ones. So we still recommend you apply Microsoft’s patches to best protect your network.

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

  • MS Security Bulletin MS12-060
  • MS Security Bulletin MS12-057
  • MS Security Bulletin MS12-059

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Share This:

Related

Filed Under: Security Bytes Tagged With: microsoft office, sharepoint, visio

Comments

  1. download kik messenger says

    July 9, 2013 at 7:36 pm

    Hello to all, it’s genuinely a good for me to pay a quick visit this web site, it includes helpful Information.

    Reply
  2. dragon city says

    October 18, 2013 at 8:48 am

    I visited many websites except the audio feature
    for audio songs existing at this website is in fact fabulous.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
  • TikTok is Banned, Kind Of
  • Naming APTs

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • How Not to Update Software
  • Naming APTs
  • TikTok is Banned, Kind Of
  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use