
====================================================================

                                CERT-Renater

                   Note d'Information No. 2016/VULN010
_____________________________________________________________________

DATE                : 13/01/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Microsoft Office versions 2007,
                        2010, 2013, 2016, for Mac 2011, 2016 for Mac,
                       Microsoft Office Compatibility Pack,
                       Microsoft Word Viewer,
                       Microsoft SharePoint Foundation version 2013,
                       Microsoft Visual Basic Runtime version 6.0.

======================================================================
KB3124585
https://technet.microsoft.com/en-us/library/security/MS16-004
_____________________________________________________________________

Microsoft Security Bulletin MS16-004 Security Update for Microsoft
Office to Address Remote Code Execution - Critical (3124585)

Document Metadata

Bulletin Number: MS16-004

Bulletin Title: Security Update for Microsoft Office to Address Remote
Code Execution

Severity: Critical

KB Article: 3124585

Version: 1.0

Published Date: January 12, 2016


Executive Summary

This security update resolves vulnerabilities in Microsoft Office. The
most severe of the vulnerabilities could allow remote code execution if
a user opens a specially crafted Microsoft Office file. An attacker who
successfully exploited the vulnerabilities could run arbitrary code in
the context of the current user. Customers whose accounts are
configured to have fewer user rights on the system could be less
impacted than those who operate with administrative user rights.


Affected Software

Microsoft Office 2007

Microsoft Office 2010

Microsoft Office 2013

Microsoft Office 2013 RT

Microsoft Office 2016

Microsoft Office for Mac 2011

Microsoft Office 2016 for Mac

Microsoft Office Compatibility Pack Service Pack 3

Microsoft Excel Viewer

Microsoft Word Viewer

Microsoft SharePoint Foundation 2013

Microsoft Visual Basic Runtime 6.0


Vulnerability Information

Multiple Microsoft Office Memory Corruption Vulnerabilities

Multiple remote code execution vulnerabilities exist in Microsoft
Office software when the Office software fails to properly handle
objects in memory.
An attacker who successfully exploited these vulnerabilities could run
arbitrary code in the context of the current user. If the current user
is logged on with administrative user rights, an attacker could take
control of the affected system. An attacker could then install
programs; view, change, or delete data; or create new accounts with
full user rights. Users whose accounts are configured to have fewer
user rights on the system could be less impacted than users who operate
with administrative user rights.

To exploit the vulnerabilities, a user must open a specially crafted
file with an affected version of Microsoft Office software. In an email
attack scenario an attacker could exploit the vulnerabilities by
sending the specially crafted file to the user and convincing the user
to open the file. In a web-based attack scenario an attacker could host
a website (or leverage a compromised website that accepts or hosts
user-provided content) that contains a specially crafted file that is
designed to exploit the vulnerabilities. An attacker would have no way
to force users to visit the website. Instead, an attacker would have to
convince users to click a link, typically by way of an enticement in an
email or Instant Messenger message, and then convince them to open the
specially crafted file. The security update addresses the
vulnerabilities by correcting how Office handles objects in memory.

The following tables contain links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title   CVE number   Publicly disclosed   Exploited

Microsoft Office Memory
Corruption Vulnerability   CVE-2016-0010   No 	           No

Microsoft Office Memory
Corruption Vulnerability   CVE-2016-0035   Yes 	           No

Multiple Microsoft SharePoint
Security Feature Bypasses

Multiple security feature bypasses exist in Microsoft SharePoint when
Access Control Policy (ACP) configuration settings are not enforced
correctly.

To exploit the bypasses, an attacker could add script to a webpart, on
a SharePoint site, that only a SharePoint site administrator could
normally add, and then use the webpart in a cross-site scripting attack
in the context of a user visiting the SharePoint site. The bypasses
could allow the attacker to read unauthorized content, and perform
actions on the SharePoint site as the user, such as change permissions,
delete content, and inject malicious content into the users browser.
The update addresses the bypasses by ensuring that ACP configuration
settings are enforced correctly.

The following tables contain links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title   CVE number   Publicly disclosed   Exploited

Microsoft SharePoint
Security Feature Bypass CVE-2016-0011   No               No

Microsoft SharePoint
Security Feature Bypass CVE-2015-6117   Yes              No

Microsoft Office ASLR
Bypass                  CVE-2016-0012

A security feature bypass exists when Microsoft Office fails to use the
Address Space Layout Randomization (ASLR) security feature, allowing an
attacker to more reliably predict the memory offsets of specific
instructions in a given call stack. An attacker who successfully
exploited it could bypass the Address Space Layout Randomization (ASLR)
security feature, which helps protect users from a broad class of
vulnerabilities. The security feature bypass by itself does not allow
arbitrary code execution. However, an attacker could use this ASLR
bypass in conjunction with another vulnerability, such as a remote code
execution vulnerability, to more reliably run arbitrary code on a
target system.

In a web-browsing scenario, successful exploitation of the ASLR bypass
requires a user to be logged on and running an affected version of
Microsoft Office. The user would then need to browse to a malicious
site. Therefore, any systems where a web browser is used frequently,
such as workstations or terminal servers, are at the most risk from
this ASLR bypass. Servers could be at more risk if administrators allow
users to browse and read email on servers. However, best practices
strongly discourage allowing this. The update addresses the ASLR bypass
by helping to ensure that affected versions of Microsoft Office
properly implement the ASLR security feature.

Microsoft received information about this bypass through coordinated
bypass disclosure. At the time this security bulletin was originally
issued, Microsoft was unaware of any attack attempting to exploit this
bypass.

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================