Office Patches Mend Word, Visio, Publisher, and Lync

Severity: High

Summary:

• These vulnerabilities affect: Microsoft Office related products, including Word, Visio, Publisher, and Lync
• How an attacker exploits them: Typically by enticing users to open or interact with maliciously crafted Office documents
• Impact: In the worst case, an attacker can gain complete control of your Windows computer
• What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins that fix 14 vulnerabilities in a range of Microsoft Office products, including Word, Visio, Publisher, and Lync. We summarize these four security bulletins below, in order from highest to lowest severity.

• MS13-041: Lync Remote Code Execution (RCE) Vulnerability

 Lync is a unified communications tool that combines voice, IM, audio, video, and web-based communication into one interface. It’s essentially the replacement for Microsoft Communicator. It suffers from an unspecified memory corruption vulnerability that attackers could leverage to execute arbitrary code on your computer. If an attacker can convince one of your users to join a Lync or Communicator session containing specially crafted content, they could execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker could gain complete control of affected computers. This flaw only affects certain versions of Lync and Communicator. See the “Affected and Non-Affected Software” section of Microsoft’s bulletin for more details.

Microsoft rating: Critical

• MS13-042: Multiple Publisher Memory Corruption Vulnerabilities

Publisher is Microsoft’s basic desktop publishing and layout program, and part of the Office suite. It suffers from eleven memory corruption vulnerabilities. They all differ technically, but share the same scope and impact. By luring one of your users into downloading and opening a malicious Publisher document, an attacker can exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. Again, if your users have local administrator privileges, the attacker gains complete control of their PCs. These flaws affect all versions of Publisher except 2013.

Microsoft rating: Important

• MS13-043 :  Word RCE Vulnerability

Word is the popular word processor that ships with Office. It suffers from a remote code execution (RCE) vulnerability having to do with how it handles Word or RTF documents containing maliciously crafted shape data. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects Word and Word Viewer 2003.

Microsoft rating: Important

• MS13-044 : Visio Information Disclosure Vulnerability
  

Microsoft Visio is a popular diagramming program often used to create network diagrams.  Visio suffers from a complex information disclosure vulnerability, involving the way it parses specially crafted XML content. At a high level, XTM documents can contain “external entities;” essentially text or binary data from an external location. If an attacker can entice one of your users into downloading and opening a malicious Visio document (containing XTM content), he can exploit this flaw to read data from files on the victim’s computer. This flaw affects all versions of Visio except 2013.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

• MS13-041
• MS13-042
• MS13-043
• MS13-044

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed a signature that can detect and block the Visio Information Disclosure issue:

• EXPLOIT Microsoft Visio XML External Entities Resolution Vulnerability (CVE-2013-1301)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS13-041
• Microsoft Security Bulletin MS13-042
• Microsoft Security Bulletin MS13-043
• Microsoft Security Bulletin MS13-044

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.