===================================================================== CERT-Renater Note d'Information No. 2014/VULN007 _____________________________________________________________________ DATE : 15/01/2014 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Microsoft Office versions 2003, 2007, 2010, 2013, Microsoft Office Compatibility Pack, Microsoft Word Viewer, Microsoft SharePoint Server version 2010, 2013, Microsoft Office Web Apps version 2010, 2013. ====================================================================== KB2916605 https://technet.microsoft.com/en-us/security/bulletin/ms14-001 ______________________________________________________________________ Microsoft Security Bulletin MS14-001 - Important Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605) Published Date: January 14, 2014 Version: 1.0 General Information Executive Summary This security update resolves three privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word or other affected Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated Important for supported editions of Microsoft Word 2003, Microsoft Word 2007, Microsoft Word 2010, Microsoft Word 2013, Microsoft Word 2013 RT, and for affected Microsoft Office services and Web Apps on supported editions of Microsoft SharePoint Server 2010, Microsoft SharePoint Server 2013, and Microsoft Web Apps Server 2013. This security update is also rated Important for supported versions of Microsoft Word Viewer and Microsoft Office Compatibility Pack. For more information, see the subsection, Affected and Non-Affected Software, in this section. Affected Software Microsoft Office 2003 Service Pack 3 Microsoft Office 2007 Service Pack 3 Microsoft Office 2010 Service Pack 1 (32-bit editions) Microsoft Office 2010 Service Pack 2 (32-bit editions) Microsoft Office 2010 Service Pack 1 (64-bit editions) Microsoft Office 2010 Service Pack 2 (64-bit editions) Microsoft Office 2013 (32-bit editions) Microsoft Office 2013 (64-bit editions) Microsoft Office 2013 RT Microsoft Office Compatibility Pack Service Pack 3 Microsoft Word Viewer Microsoft SharePoint Server 2010 Service Pack 1 Microsoft SharePoint Server 2010 Service Pack 2 Microsoft SharePoint Server 2013 Microsoft Office Web Apps 2010 Service Pack 1 Microsoft Office Web Apps 2010 Service Pack 2 Microsoft Office Web Apps 2013 Vulnerability Information Multiple Memory Corruption Vulnerabilities in Microsoft Word Remote code execution vulnerabilities exist in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To view these vulnerabilities as a standard entry in the Common Vulnerabilities and Exposures list, click the link in the following table: Vulnerability title CVE number Word Memory Corruption Vulnerability CVE-2014-0258 Word Memory Corruption Vulnerability CVE-2014-0259 Word Memory Corruption Vulnerability CVE-2014-0260 ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================