Severity: High
Summary:
- These vulnerabilities affect: Microsoft Office related products, including Word, Works, Sharepoint, InfoPack, Communicator, Lync, Groove, and more
- How an attacker exploits them: Multiple vectors of attack, including enticing users to click specially crafted links, or to open specially crafted documents
- Impact: In the worst case, an attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.
Exposure:
Today, Microsoft released four security bulletins that fix around 20 vulnerabilities in a wide range of Microsoft Office and Server Software products. The affected products include:
- Word and Word Viewer
- Works 9
- Sharepoint Server
- InfoPath
- Communicator and the new Lync
- Groove
- FAST Search Server
- and the Office Web Apps
I summarize these four security bulletins below, in order from highest to lowest severity.
- MS12-064: Two Word Memory Corruption Vulnerabilities
Word is the popular word processor that ships with Office. It suffers from two memory corruptions vulnerabilities having to do with how it handles maliciously crafted Word or RTF documents. By enticing one of your users to download and open a specially crafted document, an attacker could leverage either of these flaws to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker could leverage these vulnerabilities to gain complete control of their machines. These flaws affect all current versions of Word; including Word Viewer, the Office Compatibility Pack, and the Office Web Apps.
Microsoft rating: Critical
- MS12-065: Works 9 Heap Buffer Overflow Vulnerability
Works is a light-weight word processor, which is less expensive that Word but lacking in features. It suffers from a buffer overflow vulnerability having to do with how it handles malformed Word documents. By luring one of your users into downloading and opening a malicious Word document, an attacker can exploit this buffer overflow to execute code on that user’s computer, with that user’s privileges. Again, if your users have local administrator privileges, the attacker gains complete control of their PCs. The flaw only affects Works 9.
Microsoft rating: Important
- MS12-066 : Microsoft Server Software XSS Vulnerability
Many of Microsoft’s Server Software products (including Sharepoint Server, Communicator and Lync, InfoPath, and Groove) suffer from a Cross-site Scripting (XSS) vulnerability having to do with the servers’ inability to properly sanitize HTML inputs. The bulletin doesn’t describe exactly what element of these web-based servers suffers from the XSS vulnerability; only that they do. In any case, if an attacker can trick you into clicking a specially crafted link, he could leverage this flaw to to steal your web cookie, hijack your web session, or essentially take any action you could on the vulnerable server. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer.
Microsoft rating: Important
- MS12-067 : FAST Search Server Oracle Outside In Vulnerabilities
Microsoft’s FAST Search Server improves the searchability of your SharePoint infrastructure. In previous alerts and videos, we warned you that Microsoft Exchange leveraged Oracle’s Outside In technology to parse various types of file attachments, and that Outside In suffered from a number remote code execution vulnerabilities. FAST Search Server implements Outside In, and also suffers from these vulnerabilities. If an attacker can upload a specially crafted file to a share that FAST Search Server indexes, he could leverage these vulnerabilities to execute arbitrary code on the FAST Search Server. However, two factors significantly mitigate the severity of these issues. First, most administrators only use this server to index internal file shares, which means the attacker needs local access and privilege to upload her malicious file. Furthermore, the attacker could only execute code with the limited privileges of a “user account with a restricted token.”
Microsoft rating: Important
Solution Path:
Microsoft has released Office and Server Software patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you. That said, we highly recommend you test server updates before deploying them, so you may not want to turn on automatic updates for your servers.
The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:
For All WatchGuard Users:
Our XTM security appliances can mitigate the risk of many of these flaws. One of our generic XSS detection signatures already detects and prevents the XSS flaw described in MS12-066. Furthermore, with information from Microsoft’s Active Protections Program (MAPP), we have already developed a signature for the RTF exploit described in MS12-064, which we will include in a new signature set your appliance should get shortly.
Furthermore, WatchGuard’s Gataway Antivirus (GAV) service detects most of the common malware attackers try to deliver when exploiting these flaws. In short, if you have our UTM bundle and enable IPS and GAV, we can protect you from many attacks that try to leverage these flaws.
Nonetheless, Attackers can exploit these flaws in other ways as well, including uploading malicious files locally. We still recommend you install Microsoft’s updates as quickly as possible to completely protect yourself from these flaws.
Status:
Microsoft has released patches correcting these issues.
References:
- Microsoft Security Bulletin MS12-064
- Microsoft Security Bulletin MS12-065
- Microsoft Security Bulletin MS12-066
- Microsoft Security Bulletin MS12-067
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).
What did you think of this alert? Let us know at [email protected].
Leave a Reply