Severity: High
Summary:
- These vulnerabilities affect: Microsoft Office related products, including SharePoint, Word, and Excel
- How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents
- Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you
Exposure:
Today, Microsoft released three security bulletins that fix five vulnerabilities in SharePoint, Word, and Excel, which are all part of Microsoft’s Office suite of products. We summarize these security bulletins below, in order from highest to lowest severity.
- MS13-084: Two SharePoint Vulnerabilities
SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from both a remote code execution and cross-site scripting (XSS) flaw. The remote code execution is the more severe issue, and involves a flaw in the way Sharepoint handles specially crafted Excel files (this flaw directly relates to an Excel flaw we describe below). If an attacker can entice you to open a specially crafted Excel file from a SharePoint server (or from the Office Services or Web Apps), he could leverage this flaw to execute code on your computer, with your privileges. If you’re an administrator, the attacker has total control of your machine.
These flaws also affect Excel Services, Word Automation Services, and various Office Web Apps.
Microsoft rating: Critical
- MS13-085: Two Excel Memory Corruption Vulnerabilities
Excel is the popular spreadsheet program that ships with Office. It suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted spreadsheets. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. One of these two Excel flaws is identical the the Excel-related flaw in Sharepoint. This flaw does not affect Excel 2003, but it does affect Excel for Mac
Microsoft rating: Important
- MS13-086: Two Word Memory Corruption Vulnerabilities
Word is the popular word processor that ships with Office. It, like Excel, suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted Office documents. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects Word 2003 and 2007, not Word for Mac.
Microsoft rating: Important
Solution Path:
Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.
Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.
The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:
For All WatchGuard Users:
WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of some of these vulnerabilities. Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. For instance, our IPS signature team has developed signatures that can detect and block some of these attacks:
- WEB Microsoft Parameter Injection Vulnerability (CVE-2013-3895)
- EXPLOIT Microsoft Word Memory Corruption Vulnerability (CVE-2013-3891)
Your XTM appliance should get this new IPS update shortly.
Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.
Status:
Microsoft has released patches correcting these issues.
References:
- Microsoft Security Bulletin MS13-084
- Microsoft Security Bulletin MS13-085
- Microsoft Security Bulletin MS13-086
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).
What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.