Posted 10 December 2008

Eighteen Vulnerabilities Affect Microsoft Office Products

Severity: High. These vulnerabilities affect: Many Office family products, including Word, Excel, Sharepoint, and others.
  • How an attacker exploits them: Multiple vectors of attack, such as enticing your users to open maliciously crafted Office documents, or to visit a malicious web site
  • Impact: Various results; in the worst case, attacker can execute code, potentially gaining complete control of your computer
  • What to do: Install the appropriate patches immediately

Exposure:

Today, Microsoft released four security bulletins describing 18 vulnerabilities found in applications that are part of Microsoft's Office product family. Some of the vulnerabilities also affect Microsoft developer products. Each vulnerability affects different versions of these products to a different extent. The full list of affected products includes:

  • Microsoft Word for Windows and Mac (part of Microsoft Office)
    • Word Viewer
    • Office Compatibility Pack for 2007 Formats
    • Open XML File Format Converter for Mac
  • Microsoft Excel for Windows and Mac (part of Microsoft Office)
    • Excel Viewer
    • Office Compatibility Pack for 2007 Formats
    • Open XML File Format Converter for Mac
  • Microsoft Works
  • Microsoft Sharepoint Server
  • Microsoft Search Server
  • Microsoft Visual Basic
  • Microsoft Visual Studio .NET
  • Microsoft Visual FoxPro
  • Microsoft Office Project
  • Microsoft Office FrontPage

The summary below lists the security bulletins in order from highest to lowest severity:

  • MS08-072 : Multiple Word Memory Corruption Vulnerabilities. This bulletin describes eight vulnerabilities in how Word parses maliciously crafted documents. The flaws differ technically, but share the same scope and impact. By luring one of your users into downloading and opening a malicious document, an attacker could exploit any of these flaws to execute code, potentially gaining complete control of that user's computer. The only difference of note among these flaws involves what type of document an attacker uses in order to exploit them. Microsoft's bulletin specifies that Word (.doc) and Rich Text Format (.rtf) documents can trigger these flaws. -- Microsoft rating: Critical.
  • MS08-074 : Multiple Excel Vulnerabilities. This bulletin describes three vulnerabilities in how Excel parses maliciously crafted spreadsheets. As with the previous Word vulnerabilities, these Excel flaws differ technically, but share the same scope and impact. By luring one of your users into downloading and opening a malicious Excel spreadsheet (.xls), an attacker could exploit any of these flaws to execute code on that user's computer, with that user's privileges. If the user has local administrative privileges, the attacker would gain complete control of the user's machine.. -- Microsoft rating: Critical.
  • MS08-070 : Multiple Visual Basic 6.0 Runtime Extended File Vulnerabilities. According to Microsoft, Visual Basic 6.0 Runtime Extended Files include select ActiveX controls , libraries , and tools, which offer various kinds of pre-packaged functionality to developers who are writing applications. The Visual Basic 6.0 Runtime Extended Files ship with many Microsoft products, including Project, FrontPage, Visual Basic, Visual Studio .NET, and Visual FoxPro. Furthermore, since Microsoft allows third party developers to redistribute the affected Runtime Extended Files with their own applications, the vulnerabilities also might ship with other non-Microsoft applications.

Microsoft's bulletin describes six vulnerabilities involving various ActiveX controls included with the Visual Basic 6.0 Runtime Extended Files. The six flaws differ technically, but share a similar scope and impact. By enticing one of your users to visit a specially crafted web page, an attacker could exploit any one of these flaws to execute code on that user's computer, with the user's privileges. If your user has local administrative privileges the attacker gains full control of the user's PC.. -- Microsoft rating: Critical.

  • MS08-077 : Sharepoint Elevation of Privilege Vulnerability. This bulletin describes an elevation of privilege vulnerability in Microsoft's Sharepoint Server and Search Server. Due to some badly designed, web-based administrative pages, an unauthenticated user can gain access to a subset of administration functions on your Sharepoint and Search Servers. Of course, an attacker needs access to your server's administrative pages in order to carry out this attack. Since most administrators don't allow Internet-based users to access these administrative pages, this vulnerability primarily poses an insider threat. -- Microsoft rating: Important.

Solution Path

Microsoft has released patches for Office (and other related programs) to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

MS08-072 :

Word update for:

MS08-074 :

Excel update for:

MS08-070 :

Note: Third party developers may also redistribute the affected Visual Basic 6.0 Runtime Extended Files with their own applications. In these cases, Microsoft leaves it up to these third parties developers to update the application's Runtime Extended Files.

MS08-077 :

For All WatchGuard Users:

Attackers exploit some of these vulnerabilities by enticing your users into downloading and viewing various Office documents. You can configure some of WatchGuard's Firebox models to block the various Office documents and file types. However, most organizations need to allow Office documents in order to conduct business, and blocking them could bring your business to a halt. Furthermore, some of these attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

Microsoft has released patches correcting these issues.