Microsoft Office vulnerabilities could allow remote code execution
Report ID: MS201309006
Date Published: 11 September 2013
Criticality: Important
Compromise Type: information-disclosure remote-code-execution
Compromise From: remote
Affected Product/Component:
Microsoft Word 2003
Microsoft Word 2007
Microsoft Word 2010
Summary
Multiple vulnerabilities reported in Microsoft Word could lead to information disclosure and remote code execution.
Detailed Description
Microsoft has released a security update to address thirteen reported vulnerabilities in Microsoft Word, one of which could lead to information disclosure while the other twelve could lead to remote code execution. The vulnerabilities were caused by improper handling of XML external entities and improper handling of objects in memory.
These vulnerabilities have been address in the latest update by making necessary correction in the way that Word uses XML parser and the way that Office parses files. Users are recommended to install the update onto their system as a protection measure against exploit attempts.
CVE Reference
CVE-2013-3160, CVE-2013-3847, CVE-2013-3848, CVE-2013-3849, CVE-2013-3850, CVE-2013-3851, CVE-2013-3852, CVE-2013-3853, CVE-2013-3854, CVE-2013-3855, CVE-2013-3856, CVE-2013-3857, CVE-2013-3858
Solution
Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms13-072)
F-Secure Health Check
F-Secure's free tool, the Health Check, detects if your system is missing the patch for the vulnerability covered in this report.
