Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (MS15-012)

ITS Advisory Number: 
2015-013
Date(s) Issued: 
Tuesday, February 10, 2015
Subject: 
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (MS 15-01)
Overview: 

This security update resolves three privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file.

Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • Microsoft Excel 2007 SP 3
  • Microsoft Word 2007 SP3
  • Microsoft Office 2010 SP 2
  • Microsoft Excel 2013
  • Microsoft Excel 2013 SP 1
  • Microsoft Office 2013 RT
  • Microsoft Office 2013 RT SP 1
  • Word Automation Services
  • Microsoft Web Applications 2010 SP2
  • Microsoft Word Viewer
  • Microsoft Excel Viewer
  • Microsoft Office Compatibility Pack SP3
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
Medium
Small business entities: 
High
Home Users: 
High
Description: 

A remote code execution vulnerability exists in Microsoft Office that is caused when Excel or Word improperly handles objects in memory while parsing specially crafted Office files. This could corrupt system memory in such a way as to allow an attacker to execute arbitrary code.

Exploitation of this vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel or Word. In an email attack scenario an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains the specially crafted file that is designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to visit it, typically by getting them to click a link in an email message or Instant Messenger message, and then convince them to open the specially crafted file.

Actions: 

We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Remind users not to open email attachments from unknown users or suspicious emails from trusted sources.
  • Inform and educate users regarding the threats posed by attachments and hypertext links contained in emails especially from un-trusted sources.