Office Updates Fix Word 0day and Publisher Flaw

Severity: High

Summary:

• These vulnerabilities affect: Microsoft Word, Publisher, and Office Web Apps
• How an attacker exploits them: Typically by luring your users into opening malicious Office documents
• Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer
• What to do: Install the appropriate Microsoft updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released two Office-related security bulletins describing four vulnerabilities found in various Office and Office-related packages including the Word (for Windows and Mac), Publisher, and Office Web Apps. We summarize the bulletins below:

• MS14-017: Multiple Word Code Execution Vulnerabilities

Word is the popular word processor that ships with Office.  It suffers from three remote code execution vulnerabilities having to do with how it handles malformed Word and RTF files. They all differ technically, but share the same scope and impact. By luring one of your users into downloading and opening a malicious document, an attacker can exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. If your users have local administrator privileges, the attacker gains complete control of their PCs. This update includes the final fix for a zero day Word RTF vulnerability we mentioned in a previous alert. Since attackers have been exploiting that vulnerability in the wild, Microsoft assigns this a critical severity rating.

Microsoft rating: Critical

• MS14-020: Multiple SharePoint Vulnerabilities

Publisher is Microsoft’s basic desktop publishing and layout program, and part of the Office suite. It suffers from a memory corruption vulnerability that attackers can leverage to execute code. By luring one of your users into downloading and opening a malicious Publisher document, an attacker can exploit this flaw to execute code on that user’s computer, with that user’s privileges. Again, if your users have local administrator privileges, the attacker gains complete control of their PCs. However, the flaw only affects Publisher 2003 and 2007 (not 2010 or 2013)

Microsoft rating: Important

Solution Path

Microsoft has released updates that correct these vulnerabilities. You should download, test, and deploy the appropriate patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

• MS14-017
• MS14-020

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware they try to distribute. You can also leverage WatchGuard’s proxy policies to block certain types of documents, such as Publisher files or RTF documents. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released updates to fix these vulnerabilities.

References:

• MS Security Bulletin MS14-017
• MS Security Bulletin MS14-020

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).