Severity: High
Summary:
- These vulnerabilities affect: Microsoft Office related products like OneNote and SharePoint Server
- How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents
- Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
- What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you
Exposure:
Today, Microsoft released two security bulletins that fix a like number of vulnerabilities in OneNote and SharePoint. We summarize these security bulletins below, in order from highest to lowest severity.
- MS14-048: OneNote Code Execution Vulnerability
OneNote is a collaborative, multiuser note taking application that ships with Office. It suffers from an unspecified vulnerability having to do with how it handles specially crafted OneNote files. If an attacker can lure you into opening such a file, she could exploit this flaw to execute code on your computer, with you privileges. As usual, if you are a local administrator, the attacker gains complete control of your PC.
Microsoft rating: Important
- MS14-050: SharePoint Elevation of Privilege Vulnerability
SharePoint Server is Microsoft’s web and document collaboration and management platform. It suffers from a privilege escalation vulnerability. SharePoint offers an extensibility model that allows you to create apps that can access and use SharePoint resources. However, SharePoint suffers some unspecified flaw that allows specially crafted apps to bypass permission management. In short, by running a specially crafted application, an attacker may be able to access all the SharePoint resources of the currently logged-in user.
Microsoft rating: Important
Solution Path:
Microsoft has released Office and SharePoint-related patches that correct these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.
Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.
The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:
For All WatchGuard Users:
We recommend you install Microsoft’s updates to completely protect yourself from these flaws.
Status:
Microsoft has released patches correcting these issues.
References:
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).
What did you think of this alert? Let us know at [email protected].
Leave a Reply