The following cyber advisory was issued by the New York State Office of Information Technology Services and is intended for State government entities. The information may or may not be applicable to the general public and, accordingly, the State does not warrant its use for any specific purposes.

ITS ADVISORY NUMBER:
2013-120

DATE(S) ISSUED:
12/10/2013

SUBJECT:
Vulnerability in Microsoft Office Could Allow Information Disclosure (2909976)

OVERVIEW:

A vulnerability has been reported in Microsoft Office that could allow information disclosure if a user opens a Microsoft Office file hosted on specially crafted website. Microsoft Office is an office suite of desktop applications, servers and services for both Microsoft Windows and Apple's OS X operating systems. If successful, an attacker would gain access to the identity and privileges of the user account and authenticate as the user to a targetted SharePoint site or other Microsoft Office server site. 

SYSTEMS AFFECTED:

  • Microsoft Office 2013

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
A token hijacking vulnerability exists in Microsoft Office. This vulnerability exists when affected Microsoft Office software does not properly handle a specially crafted response while attempting to open an Office file hosted on the specially crafted website. In order for an attack to be successful, the user to must click a specially crafted link or file within an email or visit a specially crafted website. If successful, an attacker would gain access to the identity and privileges of the user account and authenticate as the user to a targeted SharePoint site or other Microsoft Office server site. 

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download or open files from un-trusted websites.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:
Microsoft:
https://technet.microsoft.com/en-us/security/bulletin/ms13-104

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5054

Deborah A. Snyder

Acting Chief Information Security Officer


 

Cyber Security

GIS