Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0388
Vulnerability in Microsoft Word Could Allow Remote Code Execution
25 March 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Word
Microsoft Word Viewer
Microsoft Office Compatibility Pack
Microsoft Office for Mac
Word Automation Services on Microsoft SharePoint Server
Microsoft Office Web Apps
Publisher: Microsoft
Operating System: Windows
OS X
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Mitigation
CVE Names: CVE-2014-1761
Original Bulletin:
https://technet.microsoft.com/en-us/security/advisory/2953095
Comment: Currently, targeted attacks are directed at Microsoft Word 2010.
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Advisory (2953095)
Vulnerability in Microsoft Word Could Allow Remote Code Execution
Published: Monday, March 24, 2014
Version: 1.0
General Information
Executive Summary
Microsoft is aware of a vulnerability affecting supported versions of
Microsoft Word. At this time, we are aware of limited, targeted attacks
directed at Microsoft Word 2010. The vulnerability could allow remote code
execution if a user opens a specially crafted RTF file using an affected
version of Microsoft Word, or previews or opens a specially crafted RTF email
message in Microsoft Outlook while using Microsoft Word as the email viewer.
An attacker who successfully exploited the vulnerability could gain the same
user rights as the current user. Customers whose accounts are configured to
have fewer user rights on the system could be less impacted than those who
operate with administrative user rights. Applying the Microsoft Fix it
solution, "Disable opening RTF content in Microsoft Word," prevents the
exploitation of this issue through Microsoft Word. See the Suggested Actions
section of this advisory for more information.
The vulnerability is a remote code execution vulnerability. The issue is
caused when Microsoft Word parses specially crafted RTF-formatted data causing
system memory to become corrupted in such a way that an attacker could execute
arbitrary code. The vulnerability could be exploited through Microsoft Outlook
only when using Microsoft Word as the email viewer. Note that by default,
Microsoft Word is the email reader in Microsoft Outlook 2007, Microsoft
Outlook 2010, and Microsoft Outlook 2013.
Issue References
For more information about this issue, see the following references:
References Identification
Microsoft Knowledge Base Article 2953095
CVE Reference CVE-2014-1761
Affected Software
Microsoft Word 2003 Service Pack 3
Microsoft Word 2007 Service Pack 3
Microsoft Word 2010 Service Pack 1 (32-bit editions)
Microsoft Word 2010 Service Pack 2 (32-bit editions)
Microsoft Word 2010 Service Pack 1 (64-bit editions)
Microsoft Word 2010 Service Pack 2 (64-bit editions)
Microsoft Word 2013 (32-bit editions)
Microsoft Word 2013 (64-bit editions)
Microsoft Word 2013 RT
Microsoft Word Viewer
Microsoft Office Compatibility Pack Service Pack 3
Microsoft Office for Mac 2011
Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 1
Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 2
Word Automation Services on Microsoft SharePoint Server 2013
Microsoft Office Web Apps 2010 Service Pack 1
Microsoft Office Web Apps 2010 Service Pack 2
Microsoft Office Web Apps Server 2013
Suggested Actions
Workarounds
* Apply the Microsoft Fix it solution, "Disable opening RTF content in
Microsoft Word", that prevents exploitation of this issue
See Microsoft Knowledge Base Article 2953095 to use the automated Microsoft
Fix it solution to enable or disable this workaround.
Note This Microsoft Fix it solution configures the Microsoft Office File Block
policy to prevent the opening of RTF files in supported versions of Microsoft
Word.
* Read emails in plain text
To help protect yourself from the email attack vector, read email messages in
plain text format.
Microsoft Outlook 2003, Microsoft Outlook 2007, Microsoft Outlook 2010, and
Microsoft Outlook 2013 provide an option for reading email messages in plain
text format. For more information about the Read all standard mail in plain
text option, see Microsoft Knowledge Base Article 831607 and Read email
messages in plain text.
Microsoft Office Outlook 2002 users who have applied Office XP Service Pack 1,
Office XP Service Pack 2, or Office XP Service Pack 3 can enable this setting
and view in plain text only those email messages that are not digitally signed
or email messages that are not encrypted. Digitally signed email messages or
encrypted email messages are not affected by the setting and may be read in
their original formats. For more information about how to enable this setting
in Outlook 2002, see Microsoft Knowledge Base Article 307594.
Impact of workaround. Email messages that are viewed in plain text format will
not contain pictures, specialized fonts, animations, or other rich content. In
addition, the following behavior may be experienced:
The changes are applied to the preview pane and to open messages.
Pictures become attachments so that they are not lost.
Because the message is still in Rich Text or HTML format in the store, the
object model (custom code solutions) may behave unexpectedly.
* Use Microsoft Office File Block policy to prevent the opening of RTF files
in Microsoft Word 2007, Microsoft Word 2010, and Microsoft Word 2013
You can block specific types of files from being opened or saved in Excel,
PowerPoint, and Word by configuring settings in either Group Policy or the
Office Customization Tool (OCT). For more information about preventing users
from opening specific types of files in Microsoft Office, see Plan File block
settings.
To use file block to help protect from exploitation of the vulnerability,
configure file block to block RTF files for affected versions of Microsoft
Word.
* Use Microsoft Office File Block policy to prevent the opening of RTF files
in Microsoft Word 2003
Note Modifying the Registry incorrectly can cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee
that problems resulting from incorrect modification of the Registry can be
solved. Modify the Registry at your own risk.
For Office 2003
The following registry scripts can be used to set the File Block policy.
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock]
"RtfFiles"=dword:00000001
Note In order to use 'FileOpenBlock' with Microsoft Office 2003, all of the
latest security updates for Microsoft Office 2003 must be applied.
Impact of workaround. For Microsoft Office 2003, users who have configured the
File Block policy and have not configured a special exempt directory or have
not moved files to a trusted location will be unable to open RTF files. For
more information about the impact of file block setting in Microsoft Office
software, see Microsoft Knowledge Base Article 922850.
How to undo the workaround.
For Office 2003
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock]
"RtfFiles"=dword:00000000
* Deploy the Enhanced Mitigation Experience Toolkit
The Enhanced Mitigation Experience Toolkit (EMET) helps mitigate the
exploitation of this vulnerability by adding additional protection layers that
make the vulnerability harder to exploit. EMET 3.0 and EMET 4.1 are officially
supported by Microsoft. At this time, EMET is only available in the English
language. For more information, see Microsoft Knowledge Base Article 2458544.
For more information about configuring EMET, see the EMET User's Guide:
On 32-bit systems the EMET User's Guide is located in C:\Program Files\EMET\EMET User's Guide.pdf
On 64-bit systems the EMET User's Guide is located in C:\Program Files (x86)\EMET\EMET User's Guide.pdf
Configure EMET 4.1 for Microsoft Office applications
EMET 4.1, in the recommended configuration, is automatically configured to
help protect affected software installed on your system. No additional steps
are required.
Configure EMET 3.0 for Microsoft Office applications from the EMET user
interface
To add an Office application to the list of applications using EMET 3.0,
perform the following steps. You need to perform these steps for each of the
following Office application executables:
- - Word.exe
- - Outlook.exe
- - wordview.exe
To start EMET, click Start, All Programs, Enhanced Mitigation Experience
Toolkit, and EMET 3.0. Then for each affected software perform the following:
Click Yes on the UAC prompt, click Configure Apps, then select Add. Browse
to the application to be configured in EMET.
Click OK and exit EMET.
For 32-bit versions of Microsoft Office software on 64-bit Windows operating
systems, the file paths are:
For Office 2003: %ProgramFiles(x86)%\Microsoft Office\Office11\
For Office 2007: %ProgramFiles(x86)%\Microsoft Office\Office12\
For Office 2010: %ProgramFiles(x86)%\Microsoft Office\Office14\
For Office 2013: %ProgramFiles(x86)%\Microsoft Office\Office15\
For 32-bit versions of Microsoft Office software on 32-bit Windows operating
systems, the file paths are:
For Office 2003: %ProgramFiles%\Microsoft Office\Office11\
For Office 2007: %ProgramFiles%\Microsoft Office\Office12\
For Office 2010: %ProgramFiles%\Microsoft Office\Office14\
For Office 2013: %ProgramFiles%\Microsoft Office\Office15\
For 64-bit versions of Microsoft Office software, the file paths are:
For Office 2010: %ProgramFiles%\Microsoft Office\Office14\
For Office 2013: %ProgramFiles%\Microsoft Office\Office15\
Configure EMET 3.0 for Microsoft Office applications from a command line
Opt in the following Office application executables to all EMET 3.0
mitigations:
- - Word.exe
- - Outlook.exe
- - wordview.exe
Run the following from an elevated command prompt:
For 32-bit versions of Microsoft Office software:
"C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\<Office application filename>.exe"
OR
"C:\Program Files(x86)\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\<Office application filename>.exe"
For 64-bit versions of Microsoft Office software:
"C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\<Office application filename>.exe"
If you have completed this successfully, the following message appears:
"The changes you have made may require restarting one or more applications"
Configure EMET for Microsoft Office applications using Group Policy
EMET can be configured using Group Policy. For information about configuring
EMET using Group Policy, see the EMET User's Guide:
For EMET 4.1:
On 32-bit systems the EMET User's Guide is located in C:\Program Files\EMET 4.1\EMET User's Guide.pdf
On 64-bit systems the EMET User's Guide is located in C:\Program Files (x86)\EMET 4.1\EMET User's Guide.pdf
For EMET 3.0:
On 32-bit systems the EMET User's Guide is located in C:\Program Files\EMET\EMET User's Guide.pdf
On 64-bit systems the EMET User's Guide is located in C:\Program Files (x86)\EMET\EMET User's Guide.pdf
Acknowledgments
Microsoft thanks the following for working with us to help protect customers:
Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team
for reporting the Word RTF Memory Corruption Vulnerability (CVE-2014-1761)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUzDLIRLndAQH1ShLAQJVuRAAh1hdn1FvSN9To1Yfxmfu5u7znPrgILWF
l3c9JrCoNSUquKR388wScXnfdLR57ZFKaf5aY1kSdx4wkA+Yde0UOHuYX3yGxDOG
2avY7ZPn3Q+FbGxJhD/4yVQkAK1Jc2bRV/RsodW88qmruEBz8OALEk/oTHJN5X7z
KsRnjz0nzpfvy0id0DD7r4q3y/oXRllRRPsGExiTNTiw4GlFAjPpuiv7Qf00Q+n8
ATcLRHGcCGz4Ym97ICUsJXliMGsaCJoalUl51khme4kSZbQuRz8EeNT2R939tVGU
Y994bghAp+37G/5mRzzv6z9cflPgPy7QMfEYGWB0cwLV4HYiGNwETUfChN0zmF9+
MI2yDmWTrELnKNXCRKJu/k4uJdSXql9DNwSkbWpfhIc1G2ORf8Rr62GYx5nNE4tC
bjFusGZ+bc9BrejH/WupPuTMhgBiPP7lby77uQH6eFXvbg+z6V+a5d8b080UqqO8
wNsXqmgYH9444ifWv0PjRKv0gkh4/ZJlXRWgJ69ja3zrNT3svARGpvy7Eh6MHlq1
uzsxVeMu4kJtj0UIq6a4QKzUPFtUAZEWe6Axg94c0EdwNb37r7UQCeSzFp6U174Q
a9kOYLVyNlvZcwTad0c5dAV7br/rWQnUfeROz8giedVRFqBR2GLrr8l8Js1c7WAa
ydyx+ekwEJk=
=82iT
-----END PGP SIGNATURE-----