MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2016-185

DATE(S) ISSUED:
12/13/16

SUBJECT:
Multiple Vulnerabilities in Microsoft Office Could Allow for Remote Code Execution (MS16-148)

OVERVIEW:

Multiple vulnerabilities have been discovered in Microsoft Office, the most severe of which could result in remote code execution if a user opens a specially crafted Microsoft Office file. Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

· Microsoft Office 2007, 2010, 2013, 2013 RT, 2016

· Microsoft Office for Mac 2011, Office 2016 for Mac

· Microsoft Office Compatibility Pack SP3

· Microsoft Word Viewer

· Microsoft Excel Viewer

· Microsoft Auto Updater for Mac

· Microsoft SharePoint Server 2007, 2010

· Microsoft Office Web Apps 2010

RISK:

Government:

· Large and medium government entities:High

· Small government: Medium

Businesses:

· Large and medium business entities:High

· Small business entities:Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Microsoft Office, the most severe of which could result in remote code execution if a user opens a specially crafted Microsoft Office file. The software updates in this security bulletin replace previous updates for Microsoft Office products contained in the following security bulletins: MS14-036, MS15-116, MS16-107, and MS16-133.

· Multiple memory corruption vulnerabilities exist in Microsoft Office software when the Office software fails to properly handle objects in memory. (CVE-2016-7263, CVE-2016-7277, CVE-2016-7289, CVE-2016-7298)

· A remote code execution vulnerability exists when Microsoft Office improperly validates input before loading libraries. (CVE-2016-7275)

· A security feature bypass vulnerability exists when Microsoft Office when the Office software improperly handles the parsing of file formats. (CVE-2016-7267)

· A security feature bypass vulnerability exists when Microsoft Office improperly handles input. (CVE-2016-7262)

· A security feature bypass vulnerability exists when Microsoft Office improperly checks registry settings when an attempt is made to run embedded content. (CVE-2016-7266)

· An information disclosure vulnerability exists when Microsoft Office fails to properly handle objects in memory, allowing an attacker to retrieve information that could lead to an Address Space Layout Randomization (ASLR) bypass. (CVE-2016-7257)

· Multiple information disclosure vulnerabilities exist when Microsoft Office reads out of bound memory, which could disclose the contents of memory. (CVE-2016-7264, CVE-2016-7265, CVE-2016-7268, CVE-2016-7276, CVE-2016-7290, CVE-2016-7291)

· An elevation of privilege vulnerability exists when the Microsoft Auto Update (MAU) application for Mac improperly validates updates before executing them. (CVE-2016-7300)

Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

· Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.

· Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

· Remind users not to visit websites or follow links provided by unknown or untrusted sources.

· Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources.

· Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Microsoft:

https://technet.microsoft.com/en-us/library/security/ms16-148.aspx

https://technet.microsoft.com/en-us/library/security/ms14-036.aspx

https://technet.microsoft.com/en-us/library/security/ms15-116.aspx

https://technet.microsoft.com/en-us/library/security/ms16-107.aspx

https://technet.microsoft.com/en-us/library/security/ms16-133.aspx

CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7257

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7262

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7263

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7264

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7265

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7266

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7267

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7268

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7275

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7276

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7277

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7289

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7290

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7291

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7298

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7300