Tag Archives: sharepoint

February Patch Day Plugs Microsoft and Adobe Flaws- Daily Security Byte EP. 214

If you’re an IT administrator, you probably know that yesterday was Microsoft Patch Day. You might even know that Adobe shares this day. Watch today’s video for a quick summary of the affected products, and the scope and impact of some of the flaws. More importantly, be sure to follow the links in the Reference section to find out where to get the updates so you can patch quickly.

(Episode Runtime: 2:48)

Direct YouTube Link: https://www.youtube.com/watch?v=bhZFzPAjN8Q

EPISODE REFERENCES:

— Corey Nachreiner, CISSP (@SecAdept)

Office Patches Mend SharePoint and OneNote

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products like OneNote and SharePoint Server
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released two security bulletins that fix a like number of vulnerabilities in OneNote and SharePoint. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS14-048OneNote Code Execution Vulnerability

OneNote is a collaborative, multiuser note taking application that ships with Office. It suffers from an unspecified vulnerability having to do with how it handles specially crafted OneNote files. If an attacker can lure you into opening such a file, she could exploit this flaw to execute code on your computer, with you privileges. As usual, if you are a local administrator, the attacker gains complete control of your PC.

Microsoft rating: Important

  • MS14-050: SharePoint Elevation of Privilege Vulnerability

SharePoint Server is Microsoft’s web and document collaboration and management platform. It suffers from a privilege escalation vulnerability. SharePoint offers an extensibility model that allows you to create apps that can access and use SharePoint resources. However, SharePoint suffers some unspecified flaw that allows specially crafted apps to bypass permission management. In short, by running a specially crafted application, an attacker may be able to access all the SharePoint resources of the currently logged-in user.

Microsoft rating: Important

Solution Path:

Microsoft has released Office and SharePoint-related patches that correct these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

We recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Office Updates Include Patches for SharePoint Vulnerabilities

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office and related products like SharePoint Server
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents, or interacting with web resources
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix a number of vulnerabilities in Office, SharePoint, and related components. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS14-022: Multiple SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from both multiple remote code execution vulnerabilities and a cross-site scripting (XSS) flaw. The remote code execution flaws pose the most risk, and involve several unspecified input sanitation vulnerabilities in a number of SharePoint pages. If an authenticated attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges. Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. If you run SharePoint servers, you should patch this as quickly as you can.

Microsoft rating: Critical

  • MS14-023: Office Remote Code Execution Flaw

Various Office components suffer from two publicly reported vulnerabilities. The worst is a remote code execution flaw involving the way Office’s “Grammar Checker” feature loads Dynamic Link Libraries (DLL). However, the flaw only affects Grammar Checker when the language is set to Chinese (Simplified). If a remote attacker can convince you to open an Office document that resides in the same directory (local or over a network) as a malicious DLL, she could exploit this flaw to execute code with your privileges. If you have local administrative access, the attacker gains complete control of your computer. However, this flaw will likely primarily affect Chinese Office users, which somewhat limits its impact. Office also suffers from something call a “token reuse” flaw, but it poses a lesser risk that the remote code execution one.

Microsoft rating: Important

  • MS13-086 MCCOMCTL ASLR Bypass Vulnerabilities

Office (and many other Microsoft products) ships with a set of ActiveX controls that Microsoft calls the Windows Common Controls (MSCOMCTL.OCX). Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. Office’s MSCOMCTL component doesn’t enable ASLR protection. This means attackers can leverage this particular component to bypass Windows’ ASLR protection features. This flaw alone doesn’t allow an attacker to gain access to your Windows computer. Rather, it can help make other memory corruption vulnerabilities easier to exploit. This update fixes the ASLR bypass hole.

Microsoft rating: Important

Solution Path:

Microsoft has released Office and SharePoint-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of some of these vulnerabilities. Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Patches for IE, Sharepoint, Office, and Windows

Calling all Microsoft administrators! It’s Microsoft Patch Day, and their security updates are available for download.

You know the drill by now. As they do every second Tuesday of the month, Microsoft has released May’s important security updates. You can find this month’s Patch Day highlights in Microsoft’s summary post, but here’s what you really need to know:

  • Microsoft released eight bulletins, two rated Critical and the rest Important.
  • The affected products include
    • Windows
    • Office
    • Internet Explorer (IE)
    • and Sharepoint Server.
  • Attackers are apparently exploiting some of the Windows and IE vulnerabilities in the wild already, in what Microsoft calls “limited, targeted attacks.
  • As expected, Windows XP users aren’t getting patches this month (or from hereafter).

In short, if you use any of the affected Microsoft products, you should download, test, and deploy these updates as quickly as you can. You can also let Windows’ Automatic Update do it for you. While I don’t recommend Automatic Update on servers (due to potential patch bugs), I do think you should enable it on your clients computers. As always, concentrate on installing the Critical updates as soon as you can (especially the IE one this month), and handle the others later.

I’ll share more details about today’s patches on the blog throughout the day, though these posts may be slightly delayed due to my participation in WatchGuard’s US Partner Summit.  — Corey Nachreiner, CISSP (@SecAdept).

Microsoft Black Tuesday: IE Fix Leads the List of Critical Updates

Today’s Microsoft Patch Day will probably be a bit busier than expected. It looks like Microsoft called a last minute audible, releasing seven security bulletins rather than the five I mention in last week’s security video. The good news is this last minute play change might help your security team win the game by providing your users with a more protected web browser.

Microsoft Patch Day: Feb, 2014

Microsoft Patch Day: Feb, 2014

February’s Patch Day summary highlights seven security bulletins that fix 32 vulnerabilities in various Microsoft products, including Internet Explorer (IE), Windows and its various components, and Forefront Protection for Exchange. They rate four of these bulletins as Critical, and the rest as Important.

This month, the most important updates are probably the most unexpected ones. Microsoft’s original advisory suggested they planned on releasing updates for Windows and one of their security products (which we now know is Forefront Protection), but they had not mentioned the IE or VBScript updates they released today. However, both these unexpected updates make great additions to this month’s Patch Day. The IE cumulative patch fixes 24 serious vulnerabilities, including one disclosed publicly; many of which attackers can leverage to execute code in drive-by download attacks. Though Microsoft hasn’t seen anyone exploiting these flaws in the wild yet, I expect attackers will surely reverse this update and start exploiting these flaws soon. The VBscript update is no slouch either, as it too fixes a code execution flaw. If bad guys can entice you to a web page with malicious code, they can use these flaws to”pwn” your computer.

Of course, you shouldn’t ignore the expected updates either. Two of them—the critical flaws in Direct2D and Forefront Protection for Exchange—also allow remote attackers to execute code on your systems. In short if you are a Microsoft administrator, you should apply today’s critical updates as soon as you can, and take care of the Important while you’re at it. In general, I recommend you test Microsoft updates before deploying them throughout your production network, especially server related updates that affect critical production servers. This is probably especially this month, for the two surprise updates. Since the IE and VBScript updates came out a bit earlier than expected, they may not have gone through as rigorous a QA process as usual. You might want to give them a whirl on non-production machines, or your virtual testing environment before sharing them with your users.

For more details on today’s Patch Day, check out the February bulletin summary now, or wait for our detailed, consolidated alerts which I’ll post on the blog through the day. — Corey Nachreiner, CISSP (@SecAdept).

Trio of Office Updates Fix SharePoint Flaw & ASLR Bypass

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office and related products, including SharePoint
  • How an attacker exploits them: Varies. Typically by enticing users to visit malicious web content or open Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix a like number of vulnerabilities in Microsoft Office and related products like SharePoint. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS13-100: SharePoint Code ExecutionVulnerability

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from an unspecified remote code execution flaw having to do with how it parses specially crafted page content. If an authenticated attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges.

Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. However, Microsoft assigns this particular flaw an Important severity rating, probably because the attacker needs valid SharePoint credentials to exploit it.

Microsoft rating: Important

  • MS13-104: Office Access Token Hijacking Flaw

When you login to an Office or Sharepoint server, the server verifies your credentials and then produces an access token, which allows you to continue accessing the server for a limited period of time. Office suffers from an unspecified flaw having to do with how it handles documents hosted on web sites. If an attacker can entice you into opening an Office document hosted on a malicious site, he could exploit this flaw to gain access to your access token, and then may be able to leverage that token to hijack your SharePoint of Office server sessions.

Microsoft rating: Important

Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. One of the shared components that ships with Office products doesn’t enable ASLR protection. This means attackers can leverage this particular component to bypass Windows’ ASLR protection features. This flaw alone doesn’t allow an attacker to gain access to your Windows computer. Rather, it can help make other memory corruption vulnerabilities easier to exploit. Since Internet Explorer (IE) loads this component, it’s particularly useful for attackers. This update fixes the ASLR bypass hole. If you’d like more details about this fix, and how it helps your overall Windows security, see this Microsoft blog post. Though Microsoft only gives this their medium severity rating, we recommend you apply the update quickly.

Microsoft rating: Important

As an aside, Microsoft also released a security bulletin (MS03-103) describing a flaw that primarily affects developers and organizations that specifically use the ASP.NET SignalR library. If you happen to use the ASP.NET SignalR library, do know it suffers from a relatively minor cross-site scripting (XSS) vulnerability, and you should update.

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of many of these vulnerabilities. For instance, you might use firewall policies to prevent external users from accessing your SharePoint server. Furthermore, Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Sharepoint, Excel, and Word Security Updates

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including SharePoint, Word, and Excel
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released three security bulletins that fix five vulnerabilities in SharePoint, Word, and Excel, which are all part of Microsoft’s Office suite of products. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS13-084: Two SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from both a remote code execution and cross-site scripting (XSS) flaw. The remote code execution is the more severe issue, and involves a flaw in the way Sharepoint handles specially crafted Excel files (this flaw directly relates to an Excel flaw we describe below). If an attacker can entice you to open a specially crafted Excel file from a SharePoint server (or from the Office Services or Web Apps), he could leverage this flaw to execute code on your computer, with your privileges. If you’re an administrator, the attacker has total control of your machine.

These flaws also affect Excel Services, Word Automation Services, and various Office Web Apps.

Microsoft rating: Critical

  • MS13-085Two Excel Memory Corruption Vulnerabilities

Excel is the popular spreadsheet program that ships with Office. It suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted spreadsheets. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. One of these two Excel flaws is identical the the Excel-related flaw in Sharepoint. This flaw does not affect Excel 2003, but it does affect Excel for Mac

Microsoft rating: Important

  • MS13-086 Two Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office. It, like Excel, suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted Office documents. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects Word 2003 and 2007, not Word for Mac.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of some of these vulnerabilities. Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. For instance, our IPS signature team has developed signatures that can detect and block some of these attacks:

  • WEB Microsoft Parameter Injection Vulnerability (CVE-2013-3895)
  • EXPLOIT Microsoft Word Memory Corruption Vulnerability (CVE-2013-3891)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Office Updates Fix SharePoint, Outlook, Word, and More

Severity: High

Summary:

  • These vulnerabilities affect: Microsoft Office related products, including SharePoint, Outlook, Word, Excel, Access, FrontPage and other components
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Today, Microsoft released seven security bulletins that fix 26 vulnerabilities in a range of Microsoft Office products, including SharePoint, Outlook, Word, Excel, Access, FrontPage and an IME component. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS13-067: Multiple SharePoint Vulnerabilities

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint, and some of its related components, suffer from a number of vulnerabilities, ranging from remote code execution flaws to a denial of service (DoS) condition. The worst vulnerability is an input validation flaw involving how SharePoint handles specially crafted content. If an attacker can upload specially crafted content to your SharePoint server, he could leverage this flaw to execute code on that server with the W3WP (w3wp.exe) service account’s privileges.

Unfortunately, Microsoft’s alert doesn’t go into detail about the privileges associated with the W3WP services account. However, we’ve found that w3wp.exe often runs as a child process under svchost.exe, which runs with local SYSTEM privileges by default; potentially making this a complete system compromise. In either case, Microsoft assigns this particular flaw their highest severity rating, so SharePoint administrators should patch as soon as possible, especially if you expose your services publicly.

These flaws also affect Excel Services, Word Automation Services, and various Office Web Apps.

Microsoft rating: Critical

  • MS13-068: Outlook S/MIME Code Execution Flaw

Outlook is the popular Windows email client that ships with Office. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for encrypting MIME data, or put more simply, it allows you to encrypt email. Outlook suffers from a code execution vulnerability involving the way it handles specially crafted S/MIME messages. An attacker could exploit this flaw to execute code on your computer simply by sending you a specially crafted email (though you’d have to open or preview the message first). The code runs with your privileges, and if your users have local administrator privileges, the attacker gains complete control of their PCs. This flaw sounds, and is, pretty severe with one small exception. Microsoft believes it is technically pretty difficult to exploit. Nonetheless, we recommend you apply the patch posthaste.

Microsoft rating: Critical

  • MS13-072 :  Ten Word Memory Corruption Vulnerabilities

Word is the popular word processor that ships with Office. It suffers from ten memory corruption vulnerabilities having to do with how it handles specially crafted Office documents. By enticing one of your users to download and open a specially crafted document, an attacker could leverage this flaw to execute code on that user’s computer, with that user’s privileges. If you grant users local administrator privileges, the attacker would gain complete control of their machines. The flaw only affects the Windows versions of Word and Word Viewer, not Word for Mac.

Microsoft rating: Important

  • MS13-073 Two Excel Memory Corruption Vulnerabilities

Excel is the popular spreadsheet program that ships with Office. It suffers from two memory corruption vulnerabilities having to do with how it handles specially crafted spreadsheets. These flaws are essentially the same as the Word ones described above, but they affect Excel related documents. So in short, if an attacker tricks your into opening a malicious excel file, he can execute code as you. If you’re a local administrator, he has full control of your computer.  Again, the flaws only affects the Windows versions, not Mac ones.

Microsoft rating: Important

  • MS13-074 Three Access Memory Corruption Vulnerabilities

Access is the popular database program that ships with Office. It suffers from three memory corruption vulnerabilities having to do with how it handles specially crafted database files. These flaws are identical in scope and impact to the two above, only they affect Access files. If you open the wrong database, an attack can execute code as you.

Microsoft rating: Important

  • MS13-078: FrontPage Information Disclosure 

FrontPage is a WYSIWYG HTML editor for creating web sites, which ships with Office.  It suffers from an information disclosure. If an attacker can trick a FrontPage user into opening a specially crafted FrontPage document, she could exploit this flaw to read the contents of any file on that user’s computer (assuming they knew the location of a specific file).

Microsoft rating: Important

  • MS13-075 : Chinese IME Elevation of Privilege Vulnerability

Input Method Editors (IME) are optional components that allows Latin keyboard users to type non-Latin characters in Office or Windows. Unfortunately, the Office IME for Pinyin Chinese suffers from an elevation of privilege (EoP) vulnerability. If an attacker can gain local access to your computer using valid Windows credentials, he could run a specially crafted program that would give him full SYSTEM-level privileges on your computer. Of course, the attack only affects those who’ve specifically installed the Pinyin Chinese Office IME, and the attacker must have a valid login to exploit the issue.

Microsoft rating: Important

Solution Path:

Microsoft has released Office-related patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

WatchGuard’s eXtensible Threat Management (XTM) security appliances can help mitigate the risk of many of these vulnerabilities. For instance, you might use firewall policies to prevent external users from accessing your SharePoint server, or use the SMTP proxy to block messages containing S/MIME content (by blocking the application/pkcs7-mime MIME content type).

Furthermore, Gateway Antivirus and Intrusion Prevention services can often prevent some of these types of attacks, or the malware these types of attacks try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of these attacks:

  • EXPLOIT Microsoft SharePoint Denial of Service Vulnerability -1 (CVE-2013-0081)
  • EXPLOIT Microsoft SharePoint Denial of Service Vulnerability -2 (CVE-2013-0081)
  • EXPLOIT Microsoft Office Could Allow Remote Code Execution (CVE-2013-3850)
  • EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -1 (CVE-2013-3180)
  •  EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -2 (CVE-2013-3180)
  • EXPLOIT Microsoft SharePoint Server Could Allow Remote Code Execution -3 (CVE-2013-3180)

Your XTM appliance should get this new IPS update shortly.

Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from these flaws.

Status:

Microsoft has released patches correcting these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Microsoft Black Tuesday: Big IE Update Trumps Windows & Office Patches

If you manage Windows networks, you know what time it is… time for Microsoft’s monthly list of security updates.

Microsoft Patch day has gone live, and you can find a listing of today’s security bulletins in their June Patch Day summary page. As expected, they released five security bulletins, one for Internet Explorer (IE), three for Windows and its components, and one for Office. They only rate the IE bulletin as Critical.

I recommend you focus most your attention to the IE update. It corrects 19 vulnerabilities—the bulk of today’s flaw—and most of them could allow remote attackers to gain control of your users’ computers via drive-by download attacks. You should definitely patch it first. That said, the Windows and Office updates are still important. Even though the Windows flaws require local access, and the Office flaw requires a bit of user interaction, they still pose some risk. So patch them too, just start with IE.

We’ll share more details about Microsoft’s bulletins in three upcoming alerts, posted throughout the day. Stay tuned.  — Corey Nachreiner, CISSP (@SecAdept)MS Patch Day June 2013

SharePoint Suffers from XSS and Information Disclosure Flaws

Summary:

  • These vulnerabilities affect: SharePoint Server, Groove Server, Office Web Apps, and InfoPath 2010, which are all part of Microsoft’s Office family products
  • How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious link, or by visiting a specific address on a vulnerable server
  • Impact: In the worst case, an attacker can elevate their privileges, gaining the ability to do anything the victim can on the affected server.
  • What to do: Install the appropriate updates as soon as you can, or let Windows Update do it for you.

Exposure:

Today, Microsoft released two Office-related  security bulletins describing vulnerabilities found in SharePoint, SharePoint Foundation, Groove, Office Web Apps, and InfoPath — all part of Microsoft’s Office family of products. Microsoft rates both bulletins as Important. We summarize them below:

  • MS13-030:  SharePoint Information Disclosure Flaw

SharePoint Server is Microsoft’s web and document collaboration and management platform. SharePoint Server 2013 does not apply the proper access controls to a SharePoint list, which means any SharePoint user can gain access to items in the list, even if the list owner did not intend that user to have access. However, in order to exploit this flaw, the attacker needs valid credentials on your SharePoint Server, and needs to know the specific URL address for the Sharepoint list in question. These factors significantly mitigate this vulnerability, limiting it primarily to an internal risk

Microsoft rating: Important.

  • MS13-035SharePoint and Office server XSS Vulnerability

SharePoint (and other Office-related servers like InfoPack and Groove) also suffer from an unspecified Cross-Site Scripting vulnerability (XSS) that could allow an attacker to elevate his privileges. By enticing one of your users to click a specially crafted link, an attacker could exploit this flaw to gain that user’s privilege on your SharePoint server. This means the attacker could view or change all the documents which that user could. These flaws only affect the 2010 versions of these Office servers.

Microsoft rating: Important

Solution Path

Microsoft has released patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate ones as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

For All WatchGuard Users:

WatchGuard’s Intrusion Prevention services can sometimes prevent web application attacks like the XSS one described today. For instance, our IPS signature team has developed a new signature that can detect and block the “HTML Sanitizarion” XSS attack affecting Sharepoint and other Office-related servers:

  • WEB-CLIENT Microsoft IE HTML Sanitization Vulnerability (CVE-2013-1289)

Your XTM appliance should get this new IPS update shortly. Nonetheless, attackers can still exploit these flaws locally, so we still recommend you install Microsoft’s updates.

Status:

Microsoft has released SharePoint and Visio updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

%d bloggers like this: