Severity: High
13 February, 2007
Summary:
Today, Microsoft released two security bulletins describing eight vulnerabilities affecting Microsoft Office for Windows and Mac. By enticing one of your users into opening a maliciously formed Office file, an attacker could exploit any of these flaws to execute code on your user’s computer, with your user’s privileges, potentially gaining control of that computer. If you use Office in your network, you should download, test, and deploy the appropriate patches immediately.
Exposure:
Microsoft’s two security bulletins describe eight vulnerabilities found in components or programs that ship with Microsoft Office for Windows and Mac. Some of these flaws also affect Microsoft Visio, Works, and Project, since those products include the vulnerable Office components. Each vulnerability affects different versions of Office to a different extent. Each of these eight flaws differs a little from the others technically, and affects different components and applications within Office. But the end result is always the same. By enticing one of your users into downloading and opening a specially crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on a victim’s computer, with that user’s level of privileges and permissions. If your user has local administrative privilege, the attacker gains full control of that machine.
The Office documents Microsoft specifies as vulnerable include:
- Word (.doc) documents
- PowerPoint (.ppt) documents
- Excel (.xls) documents
If you’d like to learn more about each individual flaw, drill into the “Vulnerability Details” section of the security bulletins listed below:
Severity: High
13 February, 2007
Summary:
Today, Microsoft released two security bulletins describing eight vulnerabilities affecting Microsoft Office for Windows and Mac. By enticing one of your users into opening a maliciously formed Office file, an attacker could exploit any of these flaws to execute code on your user’s computer, with your user’s privileges, potentially gaining control of that computer. If you use Office in your network, you should download, test, and deploy the appropriate patches immediately.
Exposure:
Microsoft’s two security bulletins describe eight vulnerabilities found in components or programs that ship with Microsoft Office for Windows and Mac. Some of these flaws also affect Microsoft Visio, Works, and Project, since those products include the vulnerable Office components. Each vulnerability affects different versions of Office to a different extent. Each of these eight flaws differs a little from the others technically, and affects different components and applications within Office. But the end result is always the same. By enticing one of your users into downloading and opening a specially crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on a victim’s computer, with that user’s level of privileges and permissions. If your user has local administrative privilege, the attacker gains full control of that machine.
The Office documents Microsoft specifies as vulnerable include:
- Word (.doc) documents
- PowerPoint (.ppt) documents
- Excel (.xls) documents
If you’d like to learn more about each individual flaw, drill into the “Vulnerability Details” section of the security bulletins listed below:
If you’ve read our past Wire posts on the subject [ 1 / 2 / 3 / 4], you know that up until today Microsoft Office has suffered from at least five unpatched vulnerabilities in Word and Excel. Microsoft confirmed three of these five vulnerabilities in security advisories they released over the last three months [ 1 / 2 / 3 ]. According to updates in these advisories, today’s Office patches fix three of these previously unresolved issues. However, since Microsoft never confirmed two of the unpatched Word flaws, we cannot say for sure whether or not today’s updates fix them as well.
Attackers have been exploiting some of these flaws in the wild for over two months. Many of these flaws were first discovered as exploit code spreading in the wild. That means the bad guys found them before us and have been exploiting them actively. This makes it particularly crucial for you to test and deploy these Office patches immediately.
Solution Path
Microsoft has released patches for Office, Project, Works, and Visio that correct these vulnerabilities. Download, test, and deploy the appropriate patches throughout your network immediately.
- Office 2003
- Office XP (and Works Suites 2004-2006)
- Office 2000
- Mac – see note below
- Office 2003
- Office XP
- Office 2000
- Project 2002
- Project 2000
- Visio 2002
- Mac – see note below
Note for Mac users: The patch below corrects both the vulnerabilities described in Microsoft’s Office security bulletins:
Status:
Microsoft has released patches correcting these issues.
References:
- Microsoft Security Bulletin MS07-014
Microsoft Security Bulletin MS07-015