Severity: High
11 March, 2008
Summary:
- These vulnerabilities affect: Most current versions of Microsoft Office for Windows, and in some cases for Mac (and some other Office-related programs)
- How an attacker exploits them: By enticing you to open maliciously crafted Office documents, visit a malicious web site, or click a malicious link
- Impact: An attacker can execute code, potentially gaining complete control of your computer
- What to do: Install the appropriate Office or Office related patches immediately
Severity: High
11 March, 2008
Summary:
- These vulnerabilities affect: Most current versions of Microsoft Office for Windows, and in some cases for Mac (and some other Office-related programs)
- How an attacker exploits them: By enticing you to open maliciously crafted Office documents, visit a malicious web site, or click a malicious link
- Impact: An attacker can execute code, potentially gaining complete control of your computer
- What to do: Install the appropriate Office or Office related patches immediately
Exposure:
Today, Microsoft released four Critical security bulletins describing a dozen vulnerabilities found in components or programs that ship with Microsoft Office for Windows, and in some cases Office for Mac. One of the vulnerabilities also affects Microsoft Visual Studio .NET, Biztalk Server, Commerce Server, and Internet Security and Acceleration Sever. Each vulnerability affects different versions of Office to a different extent.
The dozen flaws affect different components and applications within Office, but the end result is always the same. Either by enticing one of your users to download and view a specially crafted Office document, or by luring one of your users to a malicious web page, an attacker can exploit any of these vulnerabilities to execute code on the victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the victim’s machine.
An attacker can exploit many of these flaws using just about any kind of Office document. While two of Microsoft’s bulletins specifically mention Excel (.xls) files, one bulletin simply mentions “Office files,” which could refer to any Office document type, including Word (.doc), PowerPoint (.ppt), and Publisher (.pub) documents. So, beware of all unexpected Office documents.
If you’d like to learn more about each individual flaw, drill into the “Vulnerability Details” section of the security bulletins listed below:
- MS08-014: Multiple Excel vulnerabilities. This bulletin describes seven vulnerabilities involving how Excel handles maliciously crafted Excel documents. By tricking one of your users into downloading and opening an Excel document, an attacker could exploit this flaw to execute code, potentially gaining complete control of that user’s computer.
- MS08-015: Outlook mailto: URI handling vulnerability. Outlook doesn’t properly handle specially crafted mailto: URIs. If an attacker can entice one of your users to click a malicious mailto: link, typically found on a web site, he can exploit this vulnerability to execute code on that user’s computer, potentially gaining total control over it.
- MS08-016: Two Office remote code execution vulnerabilities. This bulletin describes two vulnerabilities involving how Office handles various maliciously crafted Office documents. By tricking one of your users into downloading and opening an Office document, an attacker could exploit this flaw to execute code, potentially gaining complete control of that user’s computer.
- MS08-017: Two Office Web Component vulnerabilities. Office Web Components allow you to either publish Office spreadsheets, charts, and databases to your web site, or to view such Office content on a web site. The Web Components suffer from two memory corruption vulnerabilities. By enticing one of your users to a malicious web site, an attacker could exploit either vulnerability to execute code on that user’s machine, and possibly gain control of it.
In January, Microsoft released an early advisory warning customers of a zero day vulnerability in Microsoft Excel, which attackers are currently exploiting in targeted attacks. Microsoft has confirmed that MS08-014 fixes this outstanding Excel vulnerability. Since Microsoft rates all of these bulletins as Critical, and one bulletin fixes a flaw that attackers are currently exploiting in the wild, we consider these flaws a serious risk. You should patch them immediately.
Solution Path
Microsoft has released patches for Office (and a few related programs) to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.
Excel update for:
- Office 2000 w/SP3 (KB946979)
- Office XP w/SP3 (KB946976)
- Office 2003 w/SP2 (KB943985)
- Excel Viewer 2003 (KB943889)
- 2007 Microsoft Office System (KB946974)
- Office 2004 for Mac (KB949357)
- Office 2008 for Mac (KB948057)
- Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats (KB947801)
Outlook update for:
- Office 2000 w/SP3 (KB946986)
- Office XP w/SP3 (KB946985)
- Office 2003 (KB945432)
- 2007 Microsoft Office System (KB946983)
- Office 2000 w/SP3 (KB947361)
- Office XP w/SP3 (KB947866)
- Office 2003 w/SP2 (KB947355)
- Excel Viewer 2003 (KB947355)
- Office 2004 for Mac (KB949357)
Office Web Components update for:
- Office 2000 w/SP3 (KB931660)
- Office XP w/SP3 (KB932031)
- Visual Studio .NET 2002 (KB933367)
- Visual Studio .NET 2003 (KB933369)
- Biztalk Server 2000 (KB939714)
- Biztalk Server 2002 (KB939714)
- Commerce Server 2000 (KB941305)
- Internet Security and Acceleration Server 2000 (KB948257)
For All WatchGuard Users:
Attackers exploit some of these vulnerabilities by enticing your users into downloading and viewing various Office documents. You can configure some of WatchGuard’s Firebox models to block all Office documents. However, most organizations need to allow Office documents in order to conduct business, and blocking them could bring your business to a halt. Furthermore, the remaining attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.
Status:
Microsoft has released patches correcting these issues.