A vulnerability has been reported in Microsoft Office that could allow information disclosure if a user opens a Microsoft Office file hosted on specially crafted website. Microsoft Office is an office suite of desktop applications, servers and services for both Microsoft Windows and Apples OS X operating systems. If successful, an attacker would gain access to the identity and privileges of the user account and authenticate as the user to a targetted SharePoint site or other Microsoft Office server site.'
- Microsoft Office 2013
A token hijacking vulnerability exists in Microsoft Office. This vulnerability exists when affected Microsoft Office software does not properly handle a specially crafted response while attempting to open an Office file hosted on the specially crafted website. In order for an attack to be successful, the user to must click a specially crafted link or file within an email or visit a specially crafted website. If successful, an attacker would gain access to the identity and privileges of the user account and authenticate as the user to a targeted SharePoint site or other Microsoft Office server site.
- Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to download or open files from un-trusted websites.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.