===================================================================== CERT-Renater Note d'Information No. 2014/VULN074 _____________________________________________________________________ DATE : 25/03/2014 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Microsoft Word versions 2003, 2007, 2010, 2013, Microsoft Word Viewer, Microsoft Office for Mac version 2011, Word Automation Services on Microsoft SharePoint Server version 2010, 2013, Microsoft Office Web Apps version 2010, Server 2013, Microsoft Office Compatibility Pack. ====================================================================== https://technet.microsoft.com/en-us/security/advisory/2953095 ______________________________________________________________________ Microsoft Security Advisory (2953095) Vulnerability in Microsoft Word Could Allow Remote Code Execution Published: Monday, March 24, 2014 Version: 1.0 General Information Executive Summary Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Applying the Microsoft Fix it solution, "Disable opening RTF content in Microsoft Word," prevents the exploitation of this issue through Microsoft Word. See the Suggested Actions section of this advisory for more information. The vulnerability is a remote code execution vulnerability. The issue is caused when Microsoft Word parses specially crafted RTF-formatted data causing system memory to become corrupted in such a way that an attacker could execute arbitrary code. The vulnerability could be exploited through Microsoft Outlook only when using Microsoft Word as the email viewer. Note that by default, Microsoft Word is the email reader in Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013. Issue References For more information about this issue, see the following references: References Identification Microsoft Knowledge Base Article 2953095 CVE Reference CVE-2014-1761 Affected Software Microsoft Word 2003 Service Pack 3 Microsoft Word 2007 Service Pack 3 Microsoft Word 2010 Service Pack 1 (32-bit editions) Microsoft Word 2010 Service Pack 2 (32-bit editions) Microsoft Word 2010 Service Pack 1 (64-bit editions) Microsoft Word 2010 Service Pack 2 (64-bit editions) Microsoft Word 2013 (32-bit editions) Microsoft Word 2013 (64-bit editions) Microsoft Word 2013 RT Microsoft Word Viewer Microsoft Office Compatibility Pack Service Pack 3 Microsoft Office for Mac 2011 Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 1 Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 2 Word Automation Services on Microsoft SharePoint Server 2013 Microsoft Office Web Apps 2010 Service Pack 1 Microsoft Office Web Apps 2010 Service Pack 2 Microsoft Office Web Apps Server 2013 Suggested Actions Workarounds * Apply the Microsoft Fix it solution, "Disable opening RTF content in Microsoft Word", that prevents exploitation of this issue See Microsoft Knowledge Base Article 2953095 to use the automated Microsoft Fix it solution to enable or disable this workaround. Note This Microsoft Fix it solution configures the Microsoft Office File Block policy to prevent the opening of RTF files in supported versions of Microsoft Word. * Read emails in plain text To help protect yourself from the email attack vector, read email messages in plain text format. Microsoft Outlook 2003, Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013 provide an option for reading email messages in plain text format. For more information about the Read all standard mail in plain text option, see Microsoft Knowledge Base Article 831607 and Read email messages in plain text. Microsoft Office Outlook 2002 users who have applied Office XP Service Pack 1, Office XP Service Pack 2, or Office XP Service Pack 3 can enable this setting and view in plain text only those email messages that are not digitally signed or email messages that are not encrypted. Digitally signed email messages or encrypted email messages are not affected by the setting and may be read in their original formats. For more information about how to enable this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594. Impact of workaround. Email messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. In addition, the following behavior may be experienced: The changes are applied to the preview pane and to open messages. Pictures become attachments so that they are not lost. Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly. * Use Microsoft Office File Block policy to prevent the opening of RTF files in Microsoft Word 2007, Microsoft Word 2010, and Microsoft Word 2013 You can block specific types of files from being opened or saved in Excel, PowerPoint, and Word by configuring settings in either Group Policy or the Office Customization Tool (OCT). For more information about preventing users from opening specific types of files in Microsoft Office, see Plan File block settings. To use file block to help protect from exploitation of the vulnerability, configure file block to block RTF files for affected versions of Microsoft Word. * Use Microsoft Office File Block policy to prevent the opening of RTF files in Microsoft Word 2003 Note Modifying the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from incorrect modification of the Registry can be solved. Modify the Registry at your own risk. For Office 2003 The following registry scripts can be used to set the File Block policy. Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock] "RtfFiles"=dword:00000001 Note In order to use 'FileOpenBlock' with Microsoft Office 2003, all of the latest security updates for Microsoft Office 2003 must be applied. Impact of workaround. For Microsoft Office 2003, users who have configured the File Block policy and have not configured a special exempt directory or have not moved files to a trusted location will be unable to open RTF files. For more information about the impact of file block setting in Microsoft Office software, see Microsoft Knowledge Base Article 922850. How to undo the workaround. For Office 2003 Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock] "RtfFiles"=dword:00000000 * Deploy the Enhanced Mitigation Experience Toolkit The Enhanced Mitigation Experience Toolkit (EMET) helps mitigate the exploitation of this vulnerability by adding additional protection layers that make the vulnerability harder to exploit. EMET 3.0 and EMET 4.1 are officially supported by Microsoft. At this time, EMET is only available in the English language. For more information, see Microsoft Knowledge Base Article 2458544. For more information about configuring EMET, see the EMET User's Guide: On 32-bit systems the EMET User's Guide is located in C:\Program Files\EMET\EMET User's Guide.pdf On 64-bit systems the EMET User's Guide is located in C:\Program Files (x86)\EMET\EMET User's Guide.pdf Configure EMET 4.1 for Microsoft Office applications EMET 4.1, in the recommended configuration, is automatically configured to help protect affected software installed on your system. No additional steps are required. Configure EMET 3.0 for Microsoft Office applications from the EMET user interface To add an Office application to the list of applications using EMET 3.0, perform the following steps. You need to perform these steps for each of the following Office application executables: - - Word.exe - - Outlook.exe - - wordview.exe To start EMET, click Start, All Programs, Enhanced Mitigation Experience Toolkit, and EMET 3.0. Then for each affected software perform the following: Click Yes on the UAC prompt, click Configure Apps, then select Add. Browse to the application to be configured in EMET. Click OK and exit EMET. For 32-bit versions of Microsoft Office software on 64-bit Windows operating systems, the file paths are: For Office 2003: %ProgramFiles(x86)%\Microsoft Office\Office11\ For Office 2007: %ProgramFiles(x86)%\Microsoft Office\Office12\ For Office 2010: %ProgramFiles(x86)%\Microsoft Office\Office14\ For Office 2013: %ProgramFiles(x86)%\Microsoft Office\Office15\ For 32-bit versions of Microsoft Office software on 32-bit Windows operating systems, the file paths are: For Office 2003: %ProgramFiles%\Microsoft Office\Office11\ For Office 2007: %ProgramFiles%\Microsoft Office\Office12\ For Office 2010: %ProgramFiles%\Microsoft Office\Office14\ For Office 2013: %ProgramFiles%\Microsoft Office\Office15\ For 64-bit versions of Microsoft Office software, the file paths are: For Office 2010: %ProgramFiles%\Microsoft Office\Office14\ For Office 2013: %ProgramFiles%\Microsoft Office\Office15\ Configure EMET 3.0 for Microsoft Office applications from a command line Opt in the following Office application executables to all EMET 3.0 mitigations: - - Word.exe - - Outlook.exe - - wordview.exe Run the following from an elevated command prompt: For 32-bit versions of Microsoft Office software: "C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\.exe" OR "C:\Program Files(x86)\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\.exe" For 64-bit versions of Microsoft Office software: "C:\Program Files\EMET\EMET_Conf.exe" --set "*\Microsoft Office\Office1*\.exe" If you have completed this successfully, the following message appears: "The changes you have made may require restarting one or more applications" Configure EMET for Microsoft Office applications using Group Policy EMET can be configured using Group Policy. For information about configuring EMET using Group Policy, see the EMET User's Guide: For EMET 4.1: On 32-bit systems the EMET User's Guide is located in C:\Program Files\EMET 4.1\EMET User's Guide.pdf On 64-bit systems the EMET User's Guide is located in C:\Program Files (x86)\EMET 4.1\EMET User's Guide.pdf For EMET 3.0: On 32-bit systems the EMET User's Guide is located in C:\Program Files\EMET\EMET User's Guide.pdf On 64-bit systems the EMET User's Guide is located in C:\Program Files (x86)\EMET\EMET User's Guide.pdf Acknowledgments Microsoft thanks the following for working with us to help protect customers: Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team for reporting the Word RTF Memory Corruption Vulnerability (CVE-2014-1761) ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================