Severity: High
Summary:
These vulnerabilities affect: Microsoft Word 2007 (and related components)
How an attacker exploits them: By enticing users to open or interact with a maliciously crafted Word document
Impact: In the worst case, an attacker can gain complete control of your Windows computer
What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.
Exposure:
As part of today’s Patch Day, Microsoft released a security bulletin describing a vulnerability affecting Word 2007, and related software like the Office compatibility pack.
Word is the popular word processor that ships with Office. It suffers from A memory corruption vulnerabilities having to do with how it handles embedded fonts in documents. By luring one of your users into downloading and opening a malicious Word document, an attacker can exploit this flaw to execute code on that user's computer, with that user's privileges. If your users have local administrator privileges, the attacker gains complete control of their PCs.
Microsoft only rates this update as Important (their medium severity), since it requires user interaction to succeed. However, we've seen many attackers successfully use malicious Office documents in emails, as part of their advanced spear-phishing campaigns. For that reason, we recommend you install Microsoft's Word updates as soon as you can.
Solution Path:
Microsoft has released a Word (and related product) update to correct these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.
See the “Affected and Non-Affected Software” section of Microsoft's Word bulletin for links to the updates.
Microsoft has released patches correcting these issues.
References:
Microsoft Security Bulletin MS14-034
