Excel and Publisher Documents Spell Trouble for MS Office

Severity: High

10 July, 2007

Summary:

Today, Microsoft released two security bulletins describing vulnerabilities affecting Microsoft Office for Windows. By enticing one of your users into opening a maliciously formed Office file, an attacker could exploit any of these flaws to execute code on your user’s computer, with your user’s privileges, potentially gaining control of that computer. If you use Office in your network, you should download, test, and deploy the appropriate patches immediately.

Exposure:

Microsoft’s security bulletins describe four vulnerabilities found in Office for Windows. Each of these four flaws differs a little from the others technically, and affects different components within Office. But the end result is always the same: by enticing one of your users into downloading and opening a maliciously crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on that user’s computer, with that user’s level of privileges and permissions. If your user has local administrative privilege, the attacker gains full control of the victim machine.

The Office documents Microsoft specifies as vulnerable include Excel (.XLS) and Publisher (.PUB) documents. If you’d like to learn more about each individual flaw, you can look for specifics under the “Vulnerability Information ” section of the security bulletins listed below.

Excel and Publisher Documents Spell Trouble for MS Office

Severity: High

10 July, 2007

Summary:

Today, Microsoft released two security bulletins describing vulnerabilities affecting Microsoft Office for Windows. By enticing one of your users into opening a maliciously formed Office file, an attacker could exploit any of these flaws to execute code on your user’s computer, with your user’s privileges, potentially gaining control of that computer. If you use Office in your network, you should download, test, and deploy the appropriate patches immediately.

Exposure:

Microsoft’s security bulletins describe four vulnerabilities found in Office for Windows. Each of these four flaws differs a little from the others technically, and affects different components within Office. But the end result is always the same: by enticing one of your users into downloading and opening a maliciously crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on that user’s computer, with that user’s level of privileges and permissions. If your user has local administrative privilege, the attacker gains full control of the victim machine.

The Office documents Microsoft specifies as vulnerable include Excel (.XLS) and Publisher (.PUB) documents. If you’d like to learn more about each individual flaw, you can look for specifics under the “Vulnerability Information ” section of the security bulletins listed below.

• MS07-036: Three Excel vulnerabilities
• MS07-037: One Publisher vulnerability

Solution Path

Microsoft has released patches for Office that correct these vulnerabilities. Download, test, and deploy the appropriate patches throughout your network immediately.

MS07-036:

• Excel 2007 for 2007 Office System
  • Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats
• Excel 2003 for Office 2003
  • Excel Viewer 2003
• Excel XP for Office 2002
• Excel 2000 for Office 2000

MS07-037:

• Publisher 2007 for 2007 Office System

Other versions of Office are unaffected.

For All WatchGuard Users:

While you can configure some of WatchGuard’s Firebox models to block content types associated with Excel (.XLS) and Publisher (.PUB) documents, most organizations must allow these file types in order to conduct business. Blocking them could bring your business to a halt. Therefore, the patches are your best recourse.

However, if you still want to block .XLS or .PUB files, follow the links below for instructions:

• Firebox X Edge running 8.5
  • POP3 Proxy
  • HTTP Proxy

• Firebox III and X Core running WFS
  • SMTP Proxy
  • HTTP Proxy
  • Online Training Proxy Module

• Firebox X Core and X Peak running Fireware Pro
  • SMTP Proxy
  • HTTP Proxy

• Vclass
  • SMTP Proxy. You’ll have to create or adjust a custom proxy action based on SMTP-Incoming in order to strip .XLS and .PUB files. If you have created your own Proxy Action based on SMTP-Incoming, you can edit it so that it blocks these files. In the Vcontroller software, click the Proxies button and double-click your custom proxy action. Under the Content Checking tab, change “Category” to Attachment Filename and click either the Add to Top or Insert After button (only one or the other will display). Next, type “XLS_files” as the new rule’s name, and choose Pattern Match. Next to Pattern Match, type “*.XLS” and select Strip as the Action. Repeat these steps for .PUB files as well. Now you can apply this new Proxy Action to your SMTP rule to ensure your Firebox blocks these files.

•  
  • HTTP Proxy. You’ll have to create or adjust a custom proxy action based on HTTP-Outgoing in order to strip .XLS and .PUB files. If you have created your own Proxy Action based on HTTP-Outgoing, you can edit it so that it blocks these files. In the Vcontroller software, click the Proxies button and double-click your custom proxy action. Under the Request General tab, change “Category” to URL Paths and click on Add. Next, type “XLS_files” as the new rule’s name, and choose Pattern Match. Next to Pattern Match, type “*.PUB” and select Strip as the Action. Repeat these steps for .PUB files, too. Now you can apply this new Proxy Action to your HTTP rule to ensure your Firebox blocks these files.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS07-036
• Microsoft Security Bulletin MS07-037

This alert was researched and written by Corey Nachreiner, CISSP.