Severity: High
Summary:
- These vulnerabilities affect: Microsoft Office, Visio, SQL Server, Commerce Server, Host Integration Server 2004, Visual FoxPro, and Visual Basic 6.0 Runtime
- How an attacker exploits them: Multiple vectors of attack, including luring your users into opening malicious Office documents, or into visiting web sites with malicious content
- Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
- What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.
Exposure:
Today, Microsoft released three Office-related security bulletins describing vulnerabilities found in Microsoft Office, Visio, and other productivity-related software. They rate one of the updates as Critical and the others as Important.
Besides affecting Office, the Critical update also affects:
- SQL Server (most versions)
- Commerce Server (all versions)
- Host Integration Server 2004
- Visual FoxPro
- Visual Basic Runtime
We summarize the three bulletins below:
- MS12-060: Common Controls Remote Code Execution Vulnerability
Office (and many other Microsoft products listed above) ships with a set of ActiveX controls that Microsoft calls the Windows Common Controls (MSCOMCTL.OCX). One of the ActiveX controls in this library suffers from an unspecified remote code execution vulnerability. By enticing one of your users to visit a malicious web page, or into clicking a specially crafted link, an attacker could exploit this flaw to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of his machine. Microsoft’s update sets the kill bit for the vulnerable ActiveX control.
According to Microsoft, attackers are exploiting this vulnerability in the wild, in “limited targeted” attacks. This significantly increases the risk of this already serious vulnerability. You should apply this update immediately.
Microsoft rating: Critical.
- MS12-057: CGM File Memory Corruption Vulnerability
Computer Graphics Metafiles (CGM) are text-based file representations of 2D vector or raster graphics. Though few people actually use CGM files today, Microsoft Office still supports this legacy file type.
According to the bulletin, Office suffers from an unspecified memory corruption vulnerability involving the way it handles CGM files. By enticing one of your users into opening a CGM file, or into opening an Office document containing an embedded CGM file, an attacker can exploit this flaw to execute code on that user’s computer, with the user’s privileges. If your users have local administrative rights, the attacker gains complete control of the computer.
Microsoft rating: Important
- MS12-059: Visio DXF Buffer Overflow Vulnerability
Microsoft Visio is a popular diagramming program, which many network administrators use to create network diagrams. Visio Viewer is a free program that anyone can use to view those diagrams.
Visio and Visio Viewer suffer from a buffer overflow vulnerability involving the way they handle a specific type of specially crafted Visio document, called a DXF file. If an attacker can entice one of your users into downloading and opening a maliciously crafted DXF file, he can exploit this flaw to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. This flaw only affects Visio and Visio Viewer 2010.
Microsoft rating: Important
Solution Path
Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.
The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:
For All WatchGuard Users:
Many of WatchGuard’s security appliances can help mitigate the risk of some of these attacks. For instance, you can configure WatchGuard appliances to block the Office documents related to a few of these attacks (such as DOC, XLS, and DXF files) and you can leverage our security services to mitigate the risk of malware delivered via these attacks.
However, most administrators prefer to allow Office documents into their network, and our appliances cannot protect you against all avenues attacks, especially local ones. So we still recommend you apply Microsoft’s patches to best protect your network.
Status:
Microsoft has released updates to fix these vulnerabilities.
References:
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).