Vulnerability Protection

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

Details

Report ID:

MS20170309

Date Published:

15 March 2017

Date Revised:

Criticality:

Important

Compromise Type:

Remote code execution, denial of service, information disclosure, security feature bypass

Compromise From:

Remote

Affected Product/Component:

Microsoft Office 2007
Microsoft Office 2010
Microsoft Office 2013
Microsoft Office 2013 RT
Microsoft Office 2016
Microsoft Office for Mac 2011
Microsoft Office 2016 for Mac
Microsoft Office Compatibility Pack SP3
Microsoft Excel Viewere
Microsoft Word Viewer
Microsoft SharePoint Server 2007
Microsoft SharePoint Server 2010
Microsoft SharePoint Server 2013
Microsoft Office Web Apps 2010
Microsoft Office Web Apps 2013
Microsoft Lync for Mac

Summary

Multiple vulnerabilities discovered in Microsoft Office could be exploited into allowing remote code execution, denial of service, information disclosure, and security feature bypass. 

Detailed Description

Microsoft has released a security update for Microsoft Office to address twelve reported vulnerabilities. Seven of those were remote code execution vulnerabilities that were caused by improper handling of objects in memory, two were information disclosure vulnerabilities caused by improper disclosure of contents in memory, while the remaining three consisted of one denial of service vulnerability, one escalation of privilege vulnerability, and one security feature bypass vulnerability. The last three vulnerabilities were caused by improper handling of objects in memory, improper sanitization of web requests, and improper validation of certificates. All of these issues have been rectified in the latest security update which introduced corrective modifications on applicable components. 

CVE Reference

CVE-2017-0006, CVE-2017-0019, CVE-2017-0020, CVE-2017-0030, CVE-2017-0031, CVE-2017-0052, CVE-2017-0053, CVE-2017-0027, CVE-2017-0029, CVE-2017-0105, CVE-2017-0107, CVE-2017-0129

Solution

Install the latest security patch for applicable system, available for download from https://technet.microsoft.com/en-us/library/security/MS17-014

Source

Microsoft Security Bulletin MS17-014