Severity: High
Summary:
- These vulnerabilities affect: Microsoft Office related products, including SharePoint, Outlook, Word, Excel, Access, FrontPage and other components
- How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents
- Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you
Exposure:
Today, Microsoft released seven security bulletins that fix 26 vulnerabilities in a range of Microsoft Office products, including SharePoint, Outlook, Word, Excel, Access, FrontPage and an IME component. We summarize these security bulletins below, in order from highest to lowest severity.
- MS13-067: Multiple SharePoint Vulnerabilities
SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from a number of vulnerabilities, ranging from remote code execution flaws to a denial of service (DoS) condition. The worst vulnerability is an input validation flaw involving how SharePoint handles specially crafted content. If an attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges.
Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. In either case, Microsoft assigns this particular flaw their highest severity rating, so SharePoint administrators should patch as soon as possible, especially if you expose your services publicly.
These flaws also affect Excel Services, Word Automation Services, and various Office Web Apps.
Microsoft rating: Critical
- MS13-068: Outlook S/MIME Code Execution Flaw
Outlook is the popular Windows email client that ships with Office. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for encrypting MIME data, or put more simply, it allows you to encrypt email. Outlook suffers from a code execution vulnerability involving the way it handles specially crafted S/MIME messages. An attacker could exploit this flaw to execute code on your computer simply by sending you a specially crafted email (though you’d have to open or preview the message first). The code runs with your privileges, and if your users have local administrator privileges, the attacker gains complete control of their PCs. This flaw sounds, and is, pretty severe with one small exception. Microsoft believes it is technically pretty difficult to exploit. Nonetheless, we recommend you apply the patch posthaste.
Microsoft rating: Critical
- MS13-072 : Ten Word Memory Corruption Vulnerabilities
Word is the popular word processor that ships with Office. It suffers from ten memory corruption vulnerabilities having to do with how it handles specially crafted Office documents. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects the Windows versions of Word and Word Viewer, not Word for Mac.
Microsoft rating: Important
- MS13-073 : Two Excel Memory Corruption Vulnerabilities
Excel is the popular spreadsheet program that ships with Office. It suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted spreadsheets. These flaws are essentially the same as the Word ones described above, but they affect Excel related documents. So in short, if an attacker tricks your into opening a malicious excel file, he can execute code as you. If you’re a local administrator, he has full control of your computer. Again, the flaws only affects the Windows versions, not Mac ones.
Microsoft rating: Important
- MS13-074 : Three Access Memory Corruption Vulnerabilities
Access is the popular database program that ships with Office. It suffers from three memory corruption vulnerabilities having to do with how it handles specially crafted database files. These flaws are identical in scope and impact to the two above, only they affect Access files. If you open the wrong database, an attack can execute code as you.
Microsoft rating: Important
- MS13-078: FrontPage Information Disclosure
FrontPage is a WYSIWYG HTML editor for creating web sites, which ships with Office. It suffers from an information disclosure. If an attacker can trick a FrontPage user into opening a specially crafted FrontPage document, she could exploit this flaw to read the contents of any file on that user’s computer (assuming they knew the location of a specific file).
Microsoft rating: Important
- MS13-075 : Chinese IME Elevation of Privilege Vulnerability
Input Method Editors (IME) are optional components that allows Latin keyboard users to type non-Latin characters in Office or Windows. Unfortunately, the Office IME for Pinyin Chinese suffers from an elevation of privilege (EoP) vulnerability. If an attacker can gain local access to your computer using valid Windows credentials, he could run a specially crafted program that would give him full SYSTEM-level privileges on your computer. Of course, the attack only affects those who’ve specifically installed the Pinyin Chinese Office IME, and the attacker must have a valid login to exploit the issue.
Microsoft rating: Important
Solution Path:
Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.
Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.
The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:
For All WatchGuard Users:
WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of many of these vulnerabilities. For instance, you might use firewall policies to prevent external users from accessing your SharePoint server, or use the SMTP proxy to block messages containing S/MIME content (by blocking the application/pkcs7-mime MIME content type).
Furthermore, Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of these attacks:
- EXPLOIT Microsoft SharePoint Denial of Service Vulnerability -1 (CVE-2013-0081)
- EXPLOIT Microsoft SharePoint Denial of Service Vulnerability -2 (CVE-2013-0081)
- EXPLOIT Microsoft Office Could Allow Remote Code Execution (CVE-2013-3850)
- EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -1 (CVE-2013-3180)
- EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -2 (CVE-2013-3180)
- EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -3 (CVE-2013-3180)
Your XTM appliance should get this new IPS update shortly.
Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.
Status:
Microsoft has released patches correcting these issues.
References:
- Microsoft Security Bulletin MS13-067
- Microsoft Security Bulletin MS13-068
- Microsoft Security Bulletin MS13-072
- Microsoft Security Bulletin MS13-073
- Microsoft Security Bulletin MS13-074
- Microsoft Security Bulletin MS13-078
- Microsoft Security Bulletin MS13-075
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).
What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.