OCS ADVISORY NUMBER:
2010-100 - Updated

DATE(S) ISSUED:
11/9/2010
12/10/2010 - UPDATED

SUBJECT:
Multiple Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (MS10-087)

ORIGINAL OVERVIEW:

Multiple vulnerabilities have been identified in Microsoft Office, which is Microsoft's business application suite. These vulnerabilities could allow remote code execution if a user opens a specially crafted file and can be exploited via e-mail or through the web. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

UPDATED OVERVIEW:
Microsoft has released a patch which addresses the vulnerabilities in Microsoft Office 2008 for Mac.

SYSTEMS AFFECTED:

• Microsoft Office XP
• Microsoft Office 2003
• Microsoft Office 2004 for Mac
• Microsoft Office 2007
• Microsoft Office 2008 for Mac
• Microsoft Office 2010
• Microsoft Office 2011 for Mac
• Open XML File Format Converter for Mac

RISK:
Government:

• Large and medium government entities: High
• Small government entities: High

Businesses:

• Large and medium business entities: High
• Small business entities: High

Home users: High

ORIGINAL DESCRIPTION:
Multiple vulnerabilities have been identified in Microsoft Office that could allow an attacker to take complete control of an affected system. Details of these vulnerabilities are as follows:

The first vulnerability exists because Microsoft Office fails to perform adequate boundary-checks on user-supplied data. Specifically, this issue occurs when the software parses a specially crafted Rich Text Format (RTF) file.

The second vulnerability is due to the application searching for the 'pptimpconv.dl' Dynamic Link Library file in the current working directory. The issue can be exploited by placing a specially crafted library file in an attacker-controlled location along with a file that is associated with the vulnerable application. Using the application to open the associated file will cause the malicious library file to be executed.

The third vulnerability exists because the application fails to properly handle drawing exceptions. This issue can be exploited if a user opens a specially crafted Office file.

The fourth vulnerability affects the Art Drawing record when handling a specially crafted Office file.

The fifth vulnerability exists in Microsoft Office when handling a specially crafted Office file.

Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed attempts will result in a denial-of-service.

All but one of these vulnerabilities can be exploited by opening a specially crafted Office file received as an e-mail attachment, or by visiting a web site that is hosting a specially crafted Office file. The DLL vulnerability could be exploited if a user were to first save the specially crafted file in the same directory as an Office file and then be convinced to open the Office file. The DLL vulnerability could also be exploited if a user were to access an attacker controlled location with a vulnerable application.

It should be noted that there is currently no patch available for Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac.

UPDATED DESCRIPTION:
Microsoft has released a patch which addresses the vulnerabilities in Microsoft Office 2008 for Mac.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
• Remind users not to download or open files from untrusted websites.
• Remind users not to open e-mail attachments from unknown or untrusted sources, or suspicious e-mails from trusted sources.
• Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

ORIGINAL REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx

Security Focus:
http://www.securityfocus.com/bid/42628
http://www.securityfocus.com/bid/44652
http://www.securityfocus.com/bid/44656
http://www.securityfocus.com/bid/44659
http://www.securityfocus.com/bid/44660

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3333
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3334
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3335
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3336
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3337

UPDATED REFERENCES:
Microsoft:
http://support.microsoft.com/kb/2476512