Severity: High
9 September, 2008
Summary:
§ These vulnerabilities affect: Current versions of Microsoft Office for Windows (not for Mac)
§ How an attacker exploits them: By enticing one of your users to click a malicious link
§ Impact: An attacker can execute code, potentially gaining complete control of your computer
§ What to do: Install the appropriate Office patches immediately
Severity: High
9 September, 2008
Summary:
§ These vulnerabilities affect: Current versions of Microsoft Office for Windows (not for Mac)
§ How an attacker exploits them: By enticing one of your users to click a malicious link
§ Impact: An attacker can execute code, potentially gaining complete control of your computer
§ What to do: Install the appropriate Office patches immediately
Exposure:
Today, Microsoft released a security bulletin describing a vulnerability in the Office OneNote component that ships with current versions of Microsoft Office. OneNote is a digital notebook that allows you to gather all your notes in one place for easy management, searchability, and corroboration. According to Microsoft, OneNote suffers from an unspecified “validation error” involving the way it handles specially crafted links containing the “onefile://” URI. By enticing one of your users to click on such a link, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. Like most Windows flaws, if your user has administrative rights, the attacker can leverage this attack to totally take over that user’s machine.
Solution Path
Microsoft has released patches for Office to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.
§ 2007 Microsoft Office System
For All WatchGuard Users:
Your users may encounter the malicious links used to trigger this flaw during normal Web browsing. The patches above are your primary recourse.
Status:
Microsoft has released Office updates to fix these vulnerabilities.