-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0388
     Vulnerability in Microsoft Word Could Allow Remote Code Execution
                               25 March 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Word
                   Microsoft Word Viewer
                   Microsoft Office Compatibility Pack
                   Microsoft Office for Mac
                   Word Automation Services on Microsoft SharePoint Server
                   Microsoft Office Web Apps
Publisher:         Microsoft
Operating System:  Windows
                   OS X
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Mitigation
CVE Names:         CVE-2014-1761  

Original Bulletin: 
   https://technet.microsoft.com/en-us/security/advisory/2953095

Comment: Currently, targeted attacks are directed at Microsoft Word 2010.

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Advisory (2953095)
Vulnerability in Microsoft Word Could Allow Remote Code Execution

Published: Monday, March 24, 2014

Version: 1.0
General Information
Executive Summary

Microsoft is aware of a vulnerability affecting supported versions of 
Microsoft Word. At this time, we are aware of limited, targeted attacks 
directed at Microsoft Word 2010. The vulnerability could allow remote code 
execution if a user opens a specially crafted RTF file using an affected 
version of Microsoft Word, or previews or opens a specially crafted RTF email 
message in Microsoft Outlook while using Microsoft Word as the email viewer. 
An attacker who successfully exploited the vulnerability could gain the same 
user rights as the current user. Customers whose accounts are configured to 
have fewer user rights on the system could be less impacted than those who 
operate with administrative user rights. Applying the Microsoft Fix it 
solution, "Disable opening RTF content in Microsoft Word," prevents the 
exploitation of this issue through Microsoft Word. See the Suggested Actions 
section of this advisory for more information.

The vulnerability is a remote code execution vulnerability. The issue is 
caused when Microsoft Word parses specially crafted RTF-formatted data causing 
system memory to become corrupted in such a way that an attacker could execute 
arbitrary code. The vulnerability could be exploited through Microsoft Outlook 
only when using Microsoft Word as the email viewer. Note that by default, 
Microsoft Word is the email reader in Microsoft Outlook 2007, Microsoft 
Outlook 2010, and Microsoft Outlook 2013.

Issue References

For more information about this issue, see the following references:

References                           Identification
Microsoft Knowledge Base Article     2953095 
CVE Reference                        CVE-2014-1761 

Affected Software

Microsoft Word 2003 Service Pack 3
Microsoft Word 2007 Service Pack 3
Microsoft Word 2010 Service Pack 1 (32-bit editions)
Microsoft Word 2010 Service Pack 2 (32-bit editions)
Microsoft Word 2010 Service Pack 1 (64-bit editions)
Microsoft Word 2010 Service Pack 2 (64-bit editions)
Microsoft Word 2013 (32-bit editions)
Microsoft Word 2013 (64-bit editions)
Microsoft Word 2013 RT
Microsoft Word Viewer
Microsoft Office Compatibility Pack Service Pack 3
Microsoft Office for Mac 2011
Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 1
Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 2
Word Automation Services on Microsoft SharePoint Server 2013
Microsoft Office Web Apps 2010 Service Pack 1
Microsoft Office Web Apps 2010 Service Pack 2
Microsoft Office Web Apps Server 2013

Suggested Actions

Workarounds

* Apply the Microsoft Fix it solution, "Disable opening RTF content in 
Microsoft Word", that prevents exploitation of this issue

See Microsoft Knowledge Base Article 2953095 to use the automated Microsoft 
Fix it solution to enable or disable this workaround.

Note This Microsoft Fix it solution configures the Microsoft Office File Block 
policy to prevent the opening of RTF files in supported versions of Microsoft 
Word.

 
* Read emails in plain text

To help protect yourself from the email attack vector, read email messages in 
plain text format.

Microsoft Outlook 2003, Microsoft Outlook 2007, Microsoft Outlook 2010, and 
Microsoft Outlook 2013 provide an option for reading email messages in plain 
text format. For more information about the Read all standard mail in plain 
text option, see Microsoft Knowledge Base Article 831607 and Read email 
messages in plain text.

Microsoft Office Outlook 2002 users who have applied Office XP Service Pack 1, 
Office XP Service Pack 2, or Office XP Service Pack 3 can enable this setting 
and view in plain text only those email messages that are not digitally signed 
or email messages that are not encrypted. Digitally signed email messages or 
encrypted email messages are not affected by the setting and may be read in 
their original formats. For more information about how to enable this setting 
in Outlook 2002, see Microsoft Knowledge Base Article 307594.

Impact of workaround. Email messages that are viewed in plain text format will 
not contain pictures, specialized fonts, animations, or other rich content. In 
addition, the following behavior may be experienced:

   The changes are applied to the preview pane and to open messages.
   Pictures become attachments so that they are not lost.
   Because the message is still in Rich Text or HTML format in the store, the 
   object model (custom code solutions) may behave unexpectedly.

 
* Use Microsoft Office File Block policy to prevent the opening of RTF files 
in Microsoft Word 2007, Microsoft Word 2010, and Microsoft Word 2013

You can block specific types of files from being opened or saved in Excel, 
PowerPoint, and Word by configuring settings in either Group Policy or the 
Office Customization Tool (OCT). For more information about preventing users 
from opening specific types of files in Microsoft Office, see Plan File block 
settings.

To use file block to help protect from exploitation of the vulnerability, 
configure file block to block RTF files for affected versions of Microsoft 
Word.
 
* Use Microsoft Office File Block policy to prevent the opening of RTF files 
in Microsoft Word 2003

Note Modifying the Registry incorrectly can cause serious problems that may 
require you to reinstall your operating system. Microsoft cannot guarantee 
that problems resulting from incorrect modification of the Registry can be 
solved. Modify the Registry at your own risk.

For Office 2003

The following registry scripts can be used to set the File Block policy.

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock]
"RtfFiles"=dword:00000001

Note In order to use 'FileOpenBlock' with Microsoft Office 2003, all of the 
latest security updates for Microsoft Office 2003 must be applied.

Impact of workaround. For Microsoft Office 2003, users who have configured the 
File Block policy and have not configured a special exempt directory or have 
not moved files to a trusted location will be unable to open RTF files. For 
more information about the impact of file block setting in Microsoft Office 
software, see Microsoft Knowledge Base Article 922850.

How to undo the workaround.

For Office 2003

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock]
"RtfFiles"=dword:00000000

 
* Deploy the Enhanced Mitigation Experience Toolkit

The Enhanced Mitigation Experience Toolkit (EMET) helps mitigate the 
exploitation of this vulnerability by adding additional protection layers that 
make the vulnerability harder to exploit. EMET 3.0 and EMET 4.1 are officially 
supported by Microsoft. At this time, EMET is only available in the English 
language. For more information, see Microsoft Knowledge Base Article 2458544.

For more information about configuring EMET, see the EMET User's Guide:

   On 32-bit systems the EMET User's Guide is located in C:\Program Files\EMET\EMET User's Guide.pdf
   On 64-bit systems the EMET User's Guide is located in C:\Program Files (x86)\EMET\EMET User's Guide.pdf

Configure EMET 4.1 for Microsoft Office applications

EMET 4.1, in the recommended configuration, is automatically configured to 
help protect affected software installed on your system. No additional steps 
are required.

Configure EMET 3.0 for Microsoft Office applications from the EMET user 
interface

To add an Office application to the list of applications using EMET 3.0, 
perform the following steps. You need to perform these steps for each of the 
following Office application executables:

- - Word.exe
- - Outlook.exe
- - wordview.exe

To start EMET, click Start, All Programs, Enhanced Mitigation Experience 
Toolkit, and EMET 3.0. Then for each affected software perform the following:

    Click Yes on the UAC prompt, click Configure Apps, then select Add. Browse 
to the application to be configured in EMET.
    Click OK and exit EMET.

For 32-bit versions of Microsoft Office software on 64-bit Windows operating 
systems, the file paths are:

For Office 2003: %ProgramFiles(x86)%\Microsoft Office\Office11\
For Office 2007: %ProgramFiles(x86)%\Microsoft Office\Office12\
For Office 2010: %ProgramFiles(x86)%\Microsoft Office\Office14\
For Office 2013: %ProgramFiles(x86)%\Microsoft Office\Office15\

For 32-bit versions of Microsoft Office software on 32-bit Windows operating 
systems, the file paths are:

For Office 2003: %ProgramFiles%\Microsoft Office\Office11\
For Office 2007: %ProgramFiles%\Microsoft Office\Office12\
For Office 2010: %ProgramFiles%\Microsoft Office\Office14\
For Office 2013: %ProgramFiles%\Microsoft Office\Office15\

For 64-bit versions of Microsoft Office software, the file paths are:

For Office 2010: %ProgramFiles%\Microsoft Office\Office14\
For Office 2013: %ProgramFiles%\Microsoft Office\Office15\

Configure EMET 3.0 for Microsoft Office applications from a command line

Opt in the following Office application executables to all EMET 3.0 
mitigations:

- - Word.exe
- - Outlook.exe
- - wordview.exe

   Run the following from an elevated command prompt:

   For 32-bit versions of Microsoft Office software:

   "C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\<Office application filename>.exe"

   OR

   "C:\Program Files(x86)\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\<Office application filename>.exe"

   For 64-bit versions of Microsoft Office software:

   "C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\<Office application filename>.exe"
   If you have completed this successfully, the following message appears:

   "The changes you have made may require restarting one or more applications"

Configure EMET for Microsoft Office applications using Group Policy

EMET can be configured using Group Policy. For information about configuring 
EMET using Group Policy, see the EMET User's Guide:

For EMET 4.1:

    On 32-bit systems the EMET User's Guide is located in C:\Program Files\EMET 4.1\EMET User's Guide.pdf
    On 64-bit systems the EMET User's Guide is located in C:\Program Files (x86)\EMET 4.1\EMET User's Guide.pdf

For EMET 3.0:

    On 32-bit systems the EMET User's Guide is located in C:\Program Files\EMET\EMET User's Guide.pdf
    On 64-bit systems the EMET User's Guide is located in C:\Program Files (x86)\EMET\EMET User's Guide.pdf

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team 
for reporting the Word RTF Memory Corruption Vulnerability (CVE-2014-1761)

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUzDLIRLndAQH1ShLAQJVuRAAh1hdn1FvSN9To1Yfxmfu5u7znPrgILWF
l3c9JrCoNSUquKR388wScXnfdLR57ZFKaf5aY1kSdx4wkA+Yde0UOHuYX3yGxDOG
2avY7ZPn3Q+FbGxJhD/4yVQkAK1Jc2bRV/RsodW88qmruEBz8OALEk/oTHJN5X7z
KsRnjz0nzpfvy0id0DD7r4q3y/oXRllRRPsGExiTNTiw4GlFAjPpuiv7Qf00Q+n8
ATcLRHGcCGz4Ym97ICUsJXliMGsaCJoalUl51khme4kSZbQuRz8EeNT2R939tVGU
Y994bghAp+37G/5mRzzv6z9cflPgPy7QMfEYGWB0cwLV4HYiGNwETUfChN0zmF9+
MI2yDmWTrELnKNXCRKJu/k4uJdSXql9DNwSkbWpfhIc1G2ORf8Rr62GYx5nNE4tC
bjFusGZ+bc9BrejH/WupPuTMhgBiPP7lby77uQH6eFXvbg+z6V+a5d8b080UqqO8
wNsXqmgYH9444ifWv0PjRKv0gkh4/ZJlXRWgJ69ja3zrNT3svARGpvy7Eh6MHlq1
uzsxVeMu4kJtj0UIq6a4QKzUPFtUAZEWe6Axg94c0EdwNb37r7UQCeSzFp6U174Q
a9kOYLVyNlvZcwTad0c5dAV7br/rWQnUfeROz8giedVRFqBR2GLrr8l8Js1c7WAa
ydyx+ekwEJk=
=82iT
-----END PGP SIGNATURE-----