ITS ADVISORY NUMBER:
Vulnerability in Microsoft Office Could Allow Information Disclosure (2909976)
A vulnerability has been reported in Microsoft Office that could allow information disclosure if a user opens a Microsoft Office file hosted on specially crafted website. Microsoft Office is an office suite of desktop applications, servers and services for both Microsoft Windows and Apple's OS X operating systems. If successful, an attacker would gain access to the identity and privileges of the user account and authenticate as the user to a targetted SharePoint site or other Microsoft Office server site.
- Microsoft Office 2013
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: High
A token hijacking vulnerability exists in Microsoft Office. This vulnerability exists when affected Microsoft Office software does not properly handle a specially crafted response while attempting to open an Office file hosted on the specially crafted website. In order for an attack to be successful, the user to must click a specially crafted link or file within an email or visit a specially crafted website. If successful, an attacker would gain access to the identity and privileges of the user account and authenticate as the user to a targeted SharePoint site or other Microsoft Office server site.
We recommend the following actions be taken:
- Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to download or open files from un-trusted websites.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
Acting Chief Information Security Officer
- EISO Home
- Incident Reporting
- Breach Notification
- Cyber Advisories
- NYS Digital Forensics
- Cyber Tips Newsletter
- Keeping Kids Safe Online
- Local Government
- Policies and Resources
- NY-ISAC Secure Portal
- Contact EISO