Vulnerability in Microsoft Office Could Allow Information Disclosure (2909976)

ITS Advisory Number: 
2013-120
Date(s) Issued: 
Tuesday, December 10, 2013
Subject: 
Vulnerability in Microsoft Office Could Allow Information Disclosure (2909976)
Overview: 

A vulnerability has been reported in Microsoft Office that could allow information disclosure if a user opens a Microsoft Office file hosted on specially crafted website. Microsoft Office is an office suite of desktop applications, servers and services for both Microsoft Windows and Apples OS X operating systems. If successful, an attacker would gain access to the identity and privileges of the user account and authenticate as the user to a targetted SharePoint site or other Microsoft Office server site. 

'
Systems Affected: 
  • Microsoft Office 2013
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

A token hijacking vulnerability exists in Microsoft Office. This vulnerability exists when affected Microsoft Office software does not properly handle a specially crafted response while attempting to open an Office file hosted on the specially crafted website. In order for an attack to be successful, the user to must click a specially crafted link or file within an email or visit a specially crafted website. If successful, an attacker would gain access to the identity and privileges of the user account and authenticate as the user to a targeted SharePoint site or other Microsoft Office server site. 

Actions: 
  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to download or open files from un-trusted websites.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
References: 
Microsoft:
https://technet.microsoft.com/en-us/security/bulletin/ms13-104
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5054