
====================================================================

                              CERT-Renater

                   Note d'Information No. 2016/VULN109
_____________________________________________________________________

DATE                : 10/03/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Microsoft Office,
                          Microsoft Office Compatibility Pack,
                          Microsoft Word Viewer,
                          Microsoft Office Services and Web Apps,
                          Microsoft SharePoint Server,
                          Microsoft Office Web Apps.

======================================================================
KB3141806
https://technet.microsoft.com/en-us/library/security/MS16-029
_____________________________________________________________________

Microsoft Security Bulletin MS16-029: Security Update for Microsoft 
Office to Address Remote Code Execution - Important (3141806)

Bulletin Number: MS16-029

Bulletin Title: Security Update for Microsoft Office to Address Remote 
Code Execution

Severity: Important

KB Article: 3141806

Version: 1.0

Published Date: March 8, 2016


Executive Summary

This security update resolves vulnerabilities in Microsoft Office. The
most severe of the vulnerabilities could allow remote code execution if
a user opens a specially crafted Microsoft Office file. An attacker who
successfully exploited the vulnerabilities could run arbitrary code in
the context of the current user. Customers whose accounts are
configured to have fewer user rights on the system could be less
impacted than those who operate with administrative user rights.


Affected Software

Microsoft Office 2007

    Microsoft Office 2007 Service Pack 3 (2956110)

    Microsoft InfoPath 2007 Service Pack 3 (3114426)

    Microsoft Word 2007 Service Pack 3 (3114901)

Microsoft Office 2010

    Microsoft Office 2010 Service Pack 2 (32-bit editions) (2956063)

    Microsoft Office 2010 Service Pack 2 (32-bit editions) (3114873)

    Microsoft Office 2010 Service Pack 2 (64-bit editions) (3114873)

    Microsoft InfoPath 2010 Service Pack 2 (32-bit editions) (3114414)

    Microsoft InfoPath 2010 Service Pack 2 (64-bit editions) (3114414)

    Microsoft Word 2010 Service Pack 2 (32-bit editions) (3114878)

    Microsoft Word 2010 Service Pack 2 (64-bit editions) (3114878)

Microsoft Office 2013

    Microsoft Office 2013 Service Pack 1 (32-bit editions) (3039746)

    Microsoft InfoPath 2013 Service Pack 1 (32-bit editions) (3114833)

    Microsoft InfoPath 2013 Service Pack 1 (64-bit editions) (3114833)

    Microsoft Word 2013 Service Pack 1 (32-bit editions) (3114824)

    Microsoft Word 2013 Service Pack 1 (64-bit editions) (3114824)

Microsoft Office 2013 RT

    Microsoft Word 2013 RT Service Pack 1 (3114824)[1]

Microsoft Office 2016

    Microsoft Office 2016 (32-bit edition) (3114690)

    Microsoft Word 2016 (32-bit edition) (3114855)

    Microsoft Word 2016 (64-bit edition) (3114855)

Microsoft Office for Mac 2011

    Microsoft Word for Mac 2011 (3138328)[2]

Microsoft Office 2016 for Mac Microsoft Word 2016 for Mac (3138327)[2]


Other Office Software

    Microsoft Office Compatibility Pack Service Pack 3 (3114900)

    Microsoft Word Viewer(3114812)

[1]This update is available via Windows Update.

[2]The 3138328 update for Microsoft Office for Mac 2011 and the 3138327
update for Microsoft Office 2016 for Mac are not yet available. The
updates will be released as soon as they are available and users will
be notified via a bulletin revision.


Microsoft Office Services and Web Apps

Microsoft SharePoint Server 2010

    Word Automation Services on Microsoft SharePoint Server 2010 Service
Pack 2 (3114866)

Microsoft SharePoint Server 2013

    Word Automation Services on Microsoft SharePoint Server 2013 Service
Pack 1 (3114814)

Microsoft Office Web Apps 2010

    Microsoft Office Web Apps 2010 Service Pack 2 (3114880)

Microsoft Office Web Apps 2013

    Microsoft Web Apps Server 2013 Service Pack 1 (3114821)


Vulnerability Information

Multiple Microsoft Office Memory Corruption Vulnerabilities

Multiple remote code execution vulnerabilities exist in Microsoft
Office software when the Office software fails to properly handle
objects in memory.
An attacker who successfully exploited the vulnerabilities could run
arbitrary code in the context of the current user. If the current user
is logged on with administrative user rights, an attacker could take
control of the affected system. An attacker could then install
programs; view, change, or delete data; or create new accounts with
full user rights. Users whose accounts are configured to have fewer
user rights on the system could be less impacted than users who
operate with administrative user rights.

Exploitation of the vulnerabilities requires that a user open a
specially crafted file with an affected version of Microsft Office
software. Note that the Preview Pane is not an attack vector for these
vulnerabilities. In an email attack scenario an attacker could exploit
the vulnerabilities by sending the specially crafted file to the user
and convincing the user to open the file. In a web-based attack
scenario an attacker could host a website (or leverage a compromised
website that accepts or hosts user-provided content) that contains a
specially crafted file that is designed to exploit the vulnerabilities.
An attacker would have no way to force users to visit the website.
Instead, an attacker would have to convince users to click a link,
typically by way of an enticement in an email or Instant Messenger
message, and then convince them to open the specially crafted file.

The security update addresses the vulnerabilities by correcting how
Office handles objects in memory.

The following tables contain links to the standard entry for each

vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title   CVE number   Publicly disclosed   Exploited

Microsoft Office Memory
Corruption Vulnerability   CVE-2016-0021   No 	         No

Microsoft Office Memory
Corruption Vulnerability   CVE-2016-0134   No 	         No


Microsoft Office Security Feature Bypass Vulnerability - CVE-2016-0057

A security feature bypass vulnerability exists in Microsoft Office
software due to an invalidly signed binary. An attacker who
successfully exploited the vulnerability could use a similarly
configured binary to host malicious code.
A defender would then not be able to rely on a valid binary signature
to differentiate between a known good and a malicious binary.

To successfully exploit this vulnerability, an attacker would have to
have write access to the target location that contains the invalidly
signed binary.
The attacker could then overwrite the original file with their own
malicious file and wait for an application, or user, to trigger the
malicious binary.

The security update addresses the vulnerability by providing a validly
signed binary.

The following tables contain links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title  CVE number   Publicly disclosed   Exploited

Microsoft Office Security
Feature Bypass Vulnerability   CVE-2016-0057   No    No


==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================