Four Office-related Updates Fix Productivity Software Vulnerabilities

Severity: High

Summary:

• These vulnerabilities affect: Microsoft Visio Viewer 2010, SharePoint Server 2010, OneNote 2010, and Outlook for Mac
• How an attacker exploits them: Multiple vectors of attack, including luring your users into opening malicious Office documents, or into visiting malicious URLs
• Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
• What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing vulnerabilities in some of their Office-related productivity packages,  including Visio Viewer, SharePoint, OneNote, and Outlook for Mac. We summarize the four security bulletins below, in order of severity:

• MS13-023: Visio Viewer Code Execution Vulnerability

Microsoft Visio is a popular diagramming program, which many network administrators use to create network diagrams. Visio Viewer is a free program that anyone can use to view those diagrams. Visio Viewer suffers from a memory-related code execution vulnerability, having to do with the way it handles specially crafted Visio diagrams. If an attacker can entice one of your users into downloading and opening a maliciously crafted Visio document, he can exploit this vulnerability to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. This flaw only affects the 2010 version of Visio Viewer.

Microsoft rating: Critical

• MS13-024: Various SharePoint Vulnerabilities
  

SharePoint and SharePoint Foundation are Microsoft’s web and document collaboration and management platforms. They suffer from four different security issues, including a few elevation of privilege flaws, a Cross-Site Scripting vulnerability (XSS), and a Denial of Service (DoS) issue. By either enticing one of your users into clicking a malicious URL, or by inputting a specially crafted URL into a vulnerable SharePoint server, an attacker could exploit the worst of these flaws to gain elevated access to your SharePoint server, allowing him to view or change the documents your user could. These flaws only affect the latest 2010 version of SharePoint.

Microsoft rating: Critical.

• MS13-025: OneNote 2010 Information Disclosure Flaw

Microsoft OneNote is a digital notebook that provides you a place to easily take notes on your digital device. It ships with most recent versions of Office. OneNote suffers from an information disclosure flaw. If an attacker can entice one of your users into downloading and opening a maliciously crafted OneNote (.ONE) file, she can leverage this flaw to read arbitrary data from your computer’s memory. Depending on what you are doing on your computer at the time, this flaw could allow the attacker to gain access to some of your sensitive information, including usernames and passwords. The issue only affects the 2010 version of OneNote.

Microsoft rating: Important

• MS13-026: Outlook for Mac Information Disclosure Flaw

Outlook for Mac (the Apple OS X version of Microsoft’s email client) suffers from a relatively minor information disclosure vulnerability having to do with how it previews certain HTML email messages. If an attacker can lure you into opening a specially crafted HTML email, they can verify your email address is accurate and confirm you previewed the message. At best, this vulnerability may help attackers enumerate valid email addresses for later use in their spam and phishing attacks. However, it does not give attackers any further access to your email messages or computer. For that reason, we believe it poses a fairly low risk.

Microsoft rating: Important

Solution Path

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

• MS13-023
• MS13-024
• MS13-025
• MS13-026

For All WatchGuard Users:

Attackers can exploit these vulnerabilities using diverse methods. Though you can configure WatchGuard appliances to block some of the Office documents related to a few of these attacks, and you can leverage our security services to mitigate the risk of malware delivered via these attacks, we cannot protect you against all of them; especially the local ones. We recommend you apply Microsoft’s patches to best protect your network.

That said, our IPS signature team has developed new signatures that can detect and block some of the SharePoint attacks:

• WEB Microsoft SharePoint Server Callback Function Vulnerability (CVE-2013-0080)
• WEB Microsoft SharePoint XSS Vulnerability (CVE-2013-0083)
• WEB Microsoft Share Point Directory Traversal Vulnerability -1 (CVE-2013-0084)
• WEB Microsoft Share Point Directory Traversal Vulnerability -2 (CVE-2013-0084)
• WEB Microsoft Share Point Directory Traversal Vulnerability -3 (CVE-2013-0084)

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

• MS Security Bulletin MS12-023
• MS Security Bulletin MS12-024
• MS Security Bulletin MS12-025
• MS Security Bulletin MS12-026

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).