Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2017.0087
Microsoft Office and Microsoft Office Services and Web Apps
Security Updates
14 June 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Office, Microsoft Office Services and Web Apps
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Existing Account
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2017-8528 CVE-2017-8527 CVE-2017-8513
CVE-2017-8512 CVE-2017-8511 CVE-2017-8510
CVE-2017-8509 CVE-2017-8507 CVE-2017-8506
CVE-2017-0292 CVE-2017-0283 CVE-2017-0260
Member content until: Friday, July 14 2017
OVERVIEW
Microsoft has released its monthly security patch update for the
month of June 2017 for Microsoft Office and Microsoft Office
Services and Web Apps. [1]
This update resolves 12 vulnerabilities across the following
products:
Microsoft Excel 2013 RT Service Pack 1
Microsoft Live Meeting 2007 Add-in
Microsoft Live Meeting 2007 Console
Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office Compatibility Pack Service Pack 3
Microsoft Office Online Server 2016
Microsoft Office Web Apps 2010
Microsoft Office Web Apps 2010 Service Pack 2
Microsoft Office Web Apps 2013 Service Pack 1
Microsoft Office Web Apps Server 2010 Service Pack 2
Microsoft Office Web Apps Server 2013 Service Pack 1
Microsoft Office Word Viewer
Microsoft OneNote 2010 Service Pack 2 (32-bit editions)
Microsoft OneNote 2010 Service Pack 2 (64-bit editions)
Microsoft Outlook 2007 Service Pack 3
Microsoft Outlook 2010 Service Pack 2 (32-bit editions)
Microsoft Outlook 2010 Service Pack 2 (64-bit editions)
Microsoft Outlook 2013 RT Service Pack 1
Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
Microsoft Outlook 2016 (32-bit edition)
Microsoft Outlook 2016 (64-bit edition)
Microsoft PowerPoint 2007 Service Pack 3
Microsoft PowerPoint 2013 RT Service Pack 1
Microsoft PowerPoint 2016 for Mac
Microsoft PowerPoint for Mac 2011
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Server 2007 Service Pack 3 (32-bit editions)
Microsoft SharePoint Server 2013 Service Pack 1
Microsoft Word 2007 Service Pack 3
Microsoft Word 2010 Service Pack 2 (32-bit editions)
Microsoft Word 2010 Service Pack 2 (64-bit editions)
Microsoft Word 2013 RT Service Pack 1
Microsoft Word 2013 Service Pack 1 (32-bit editions)
Microsoft Word 2013 Service Pack 1 (64-bit editions)
Microsoft Word 2016 (32-bit edition)
Microsoft Word 2016 (64-bit edition)
Microsoft Word 2016 for Mac
Microsoft Word for Mac 2011
Word Automation Services
IMPACT
Microsoft has given the following details regarding these
vulnerabilities:
Details Impact Severity
CVE-2017-0260 Remote Code Execution Important
CVE-2017-0282 Information Disclosure Important
CVE-2017-0283 Remote Code Execution Critical
CVE-2017-0284 Information Disclosure Important
CVE-2017-0285 Information Disclosure Important
CVE-2017-0286 Information Disclosure Important
CVE-2017-0287 Information Disclosure Important
CVE-2017-0288 Information Disclosure Important
CVE-2017-0289 Information Disclosure Important
CVE-2017-0292 Remote Code Execution Important
CVE-2017-8506 Remote Code Execution Important
CVE-2017-8507 Remote Code Execution Important
CVE-2017-8508 Security Feature Bypass Important
CVE-2017-8509 Remote Code Execution Important
CVE-2017-8510 Remote Code Execution Important
CVE-2017-8511 Remote Code Execution Important
CVE-2017-8512 Remote Code Execution Important
CVE-2017-8513 Remote Code Execution Important
CVE-2017-8514 Information Disclosure Important
CVE-2017-8527 Remote Code Execution Critical
CVE-2017-8528 Remote Code Execution Critical
CVE-2017-8531 Information Disclosure Important
CVE-2017-8532 Information Disclosure Important
CVE-2017-8533 Information Disclosure Important
CVE-2017-8534 Information Disclosure Important
CVE-2017-8545 Spoofing Important
CVE-2017-8550 Information Disclosure Important
CVE-2017-8551 Elevation of Privilege Important
MITIGATION
Microsoft recommends updating the software with the version
made available on the Microsoft Update Cataloge for the following
Knowledge Base articles. [1]
KB3118304, KB3118389, KB3127888, KB3127894, KB3162051, KB3172445,
KB3178667, KB3191828, KB3191837, KB3191844, KB3191848, KB3191882,
KB3191898, KB3191908, KB3191932, KB3191938, KB3191939, KB3191943,
KB3191944, KB3191945, KB3203383, KB3203384, KB3203386, KB3203390,
KB3203391, KB3203392, KB3203393, KB3203399, KB3203427, KB3203430,
KB3203432, KB3203436, KB3203438, KB3203441, KB3203458, KB3203460,
KB3203461, KB3203463, KB3203464, KB3203466, KB3203467, KB3203484,
KB3203485, KB3212223, KB4020732, KB4020735, KB4020736.
REFERENCES
[1] Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWUCe7ox+lLeg9Ub1AQiUJxAAowaQazYLsA7zCo6W9GkFqSf+uZIG+Pf3
7CAzKEf3Mj31jaA+3rh5UH5pWJpjds6D4I20aUBQEM4MO6Ki+6Pw2tKSu5t5TKk4
7mzwLUQOIzC9YnGGLTfvKSs66WE6igtEduiZCkkWpMQ4uwoCcKSM9qaCSfrLoPBJ
oV9+9fPC5Qyw4iWXqkW5XuADA65AxxYyo+oWKmFPQv7jtBquifklpMcl+5xQMN0I
rJm6FbSkgXLOwd2cGLXDAHbTFuquTaMfF2TUc5hp2K9u19HVZ9QhETs5rXFCut2B
ukXgsnhqc1ZlgqU0X/AckkbgKh4s4OxztIyy9p7mc+wG16d1gNWUmgWG6ercePgW
BnRzCTNELTEv8Ev2rWsBr/JNzLjraqGXtG0oFm1deICn4T5D1GufgYaz5xNmRuh/
dsYuTuVmKiPkP8/FLJBd/bg5If3o7AAVBV6azh3l5IsgupMe71Of9+voCAUmp9/w
ax0Y6cFhwGqFQx3Y4nS8AhkL8QUaaNBiaK8+8j4NAReWF0e1U3hSq2ylJVwsLXrb
L2fTSUolvBtJZUl3GVU7y7RbfSoS6LHic1ucK+dFSxdYJLgo9swp1qwK2oXoEnHQ
Kq0rnQjgDraadVG+zG5JdVFAI6VwrnyxIRyXTBBuo/6FllpOKSCRrBBLEVhy9zFN
N4GR4EosyTY=
=vxBm
-----END PGP SIGNATURE-----