Microsoft Security Bulletin MS15-099 - Critical

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3089664)

Published: September 8, 2015 | Updated: November 10, 2015

Version: 5.0

Executive Summary

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

This security update is rated Critical for all supported editions of the following software:

  • Microsoft Office 2007
  • Microsoft Office 2010
  • Microsoft Office 2013
  • Microsoft Office 2013 RT
  • Microsoft Office 2016

This security update is rated Important for all supported editions of the following software:

  • Microsoft Excel for Mac 2011
  • Microsoft Excel 2016 for Mac
  • Microsoft SharePoint Foundation 2013, Microsoft SharePoint Server 2013

For more information, see the Affected Software section.

The security update addresses the vulnerabilities by correcting how Microsoft Office handles files in memory and by modifying how SharePoint validates web requests. For more information about the vulnerabilities, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3089664

Affected Software and Vulnerability Severity Ratings

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the September bulletin summary.  

Microsoft Office Software

Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software Microsoft Office Memory Corruption Vulnerability - CVE-2015-2520 Microsoft Office Memory Corruption Vulnerability - CVE-2015-2521 Microsoft Office Memory Corruption Vulnerability - CVE-2015-2523 Microsoft Office Malformed EPS File Vulnerability - CVE-2015-2545 Updates Replaced*
Microsoft Office 2007
Microsoft Office 2007 Service Pack 3 (3085620) Not applicable Not applicable Not applicable Critical Remote Code Execution 3054987 - previously released in this bulletin
Microsoft Excel 2007 Service Pack 3 (3085543) ImportantRemote Code Execution Important Remote Code Execution Important Remote Code Execution Not applicable 3054992 in MS15-081
Microsoft Office 2010
Microsoft Office 2010 Service Pack 2 (32-bit editions) (3085560) Not applicable Not applicable Not applicable Critical Remote Code Execution 3054965 - previously released in this bulletin
Microsoft Office 2010 Service Pack 2 (64-bit editions) (3085560) Not applicable Not applicable Not applicable Critical Remote Code Execution 3054965 - previously released in this bulletin
Microsoft Excel 2010 Service Pack 2 (32-bit editions) (3085526) ImportantRemote Code Execution ImportantRemote Code Execution Important Remote Code Execution Not applicable 3055044 in MS15-081
Microsoft Excel 2010 Service Pack 2 (64-bit editions) (3085526) ImportantRemote Code Execution ImportantRemote Code Execution Important Remote Code Execution Not applicable 3055044 in MS15-081
Microsoft Office 2013
Microsoft Office 2013 Service Pack 1 (32-bit editions) (3085572) Not applicable Not applicable Not applicable Critical Remote Code Execution 3054932 - previously released in this bulletin
Microsoft Office 2013 Service Pack 1 (64-bit editions) (3085572) Not applicable Not applicable Not applicable Critical Remote Code Execution 3054932 - previously released in this bulletin
Microsoft Excel 2013 Service Pack 1 (32-bit editions) (3085502) Not applicable Not applicable Important Remote Code Execution Not applicable 3054991 in MS15-081
Microsoft Excel 2013 Service Pack 1 (64-bit editions) (3085502) Not applicable Not applicable Important Remote Code Execution Not applicable 3054991 in MS15-081
Microsoft Office 2013 RT
Microsoft Office 2013 RT Service Pack 1 (32-bit editions) (3085572)[1] Not applicable Not applicable Not applicable Critical Remote Code Execution 3054932 - previously released in this bulletin
Microsoft Excel 2013 RT Service Pack 1 (3085502)[1] Not applicable Not applicable Important Remote Code Execution Not applicable 3054991 in MS15-081
Microsoft Office 2016
Microsoft Office 2016 (32-bit editions) (3085635) Not applicable Not applicable Not applicable Critical Remote Code Execution 2910993 - previously released in this bulletin
Microsoft Office 2016 (64-bit editions) (3085635) Not applicable Not applicable Not applicable Critical Remote Code Execution 2910993 - previously released in this bulletin
Microsoft Excel 2016 (32-bit editions) (2920693) Not applicable Not applicable Important Remote Code Execution Not applicable None
Microsoft Excel 2016 (64-bit editions) (2920693) Not applicable Not applicable Important Remote Code Execution Not applicable None
Microsoft Office for Mac 2011
Microsoft Excel for Mac 2011 (3088501) Important Remote Code Execution Not applicable Important Remote Code Execution Not applicable 3081349 in MS15-081
Microsoft Office 2016 for Mac
Microsoft Excel 2016 for Mac (3088502)[2] Important Remote Code Execution Not applicable Important Remote Code Execution Not applicable 3082420 in MS15-081
Other Office Software
Microsoft Office Compatibility Pack Service Pack 3 (3054993) Important Remote Code Execution Important Remote Code Execution Important Remote Code Execution Not applicable 2965208 in MS15-070
Microsoft Excel Viewer (3054995) Important Remote Code Execution ImportantRemote Code Execution Important Remote Code Execution Not applicable 2965209 in MS15-070

[1]This update is available via Windows Update.

[2]As of September 15, 2015, the 3088502 update is available for Microsoft Office 2016 for Mac. For more information see Microsoft Knowledge Base Article 3088502.

 

Microsoft Server Software

Vulnerability Severity Rating and Maximum Security Impact by Affected Software
**Affected Software                                 ** Microsoft SharePoint XSS Spoofing Vulnerability - CVE-2015-2522 Updates Replaced*
Microsoft SharePoint Foundation 2013
Microsoft SharePoint Foundation 2013 Service Pack 1 (3085501) ImportantSpoofing 3054792 in MS15-047

Update FAQ

Does this update contain any additional security-related changes to functionality?
Yes. In addition to the security updates that address the vulnerabilities described in this bulletin, Microsoft is releasing the following defense-in-depth updates for Microsoft SharePoint Server 2013 and Microsoft Office Web Apps Server 2013:

Affected Software Updates Replaced
Microsoft SharePoint Server 2013 Service Pack 1\ (3054813) 2956180 in MS15-022
Microsoft SharePoint Server 2013 Service Pack 1\ (3085483) 3054861 in MS15-070
Microsoft Office Web Apps Server 2013 Service Pack 1\ (3085487) 3055003 in MS15-081

There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Affected Software table for the software? 
Yes. Customers should apply all updates offered for the software installed on their systems.

I am being offered this update for software that is not specifically listed in the Affected Software table. Why am I being offered this update? 
When updates address vulnerable code that exists in a component that is shared between multiple Microsoft Office products or shared between multiple versions of the same Microsoft Office product, the update is considered to be applicable to all supported products and versions that contain the vulnerable component.

For example, when an update applies to Microsoft Office 2007 products, only Microsoft Office 2007 may be specifically listed in the Affected Software table. However, the update could apply to Microsoft Word 2007, Microsoft Excel 2007, Microsoft Visio 2007, Microsoft Compatibility Pack, Microsoft Excel Viewer, or any other Microsoft Office 2007 product that is not specifically listed in the Affected Software table.

For example, when an update applies to Microsoft Office 2010 products, only Microsoft Office 2010 may be specifically listed in the Affected Software table. However, the update could apply to Microsoft Word 2010, Microsoft Excel 2010, Microsoft Visio 2010, Microsoft Visio Viewer, or any other Microsoft Office 2010 product that is not specifically listed in the Affected Software table.

For example, when an update applies to Microsoft Office 2013 products, only Microsoft Office 2013 may be specifically listed in the Affected Software table. However, the update could apply to Microsoft Word 2013, Microsoft Excel 2013, Microsoft Visio 2013, or any other Microsoft Office 2013 product that is not specifically listed in the Affected Software table.

Vulnerability Information

Multiple Microsoft Office Memory Corruption Vulnerabilities

Remote code execution vulnerabilities exist in Microsoft Office software when the Office software fails to properly handle objects in memory.

Exploitation of these vulnerabilities requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario an attacker could exploit the vulnerabilities by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerabilities. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message.

An attacker who successfully exploited these vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The security update addresses the vulnerabilities by correcting how Microsoft Office handles files in memory.

The following tables contain links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title CVE number Publicly Disclosed Exploited
Microsoft Office Memory Corruption Vulnerability CVE-2015-2520 No No
Microsoft Office Memory Corruption Vulnerability CVE-2015-2521 No No
Microsoft Office Memory Corruption Vulnerability CVE-2015-2523 No No

 

Mitigating Factors

Microsoft has not identified any mitigating factors for these vulnerabilities.

Workarounds

Microsoft has not identified any workarounds for these vulnerabilities. 

Microsoft SharePoint XSS Spoofing Vulnerability - CVE-2015-2522

A cross-site scripting (XSS) vulnerability, which could result in spoofing, exists when SharePoint fails to properly sanitize user-supplied web requests. An attacker who successfully exploited this vulnerability could perform persistent cross-site scripting attacks and run script (in the security context of the logged-on user) with malicious content that appears authentic. This could allow the attacker to steal sensitive information, including authentication cookies and recently submitted data.

To exploit this vulnerability, an attacker must have the ability to submit a specially crafted content to a target site. Because of the vulnerability, in specific situations specially crafted script is not properly sanitized, which subsequently could lead to an attacker-supplied script to be run in the security context of a user who views the malicious content. For cross-site scripting attacks, this vulnerability requires that a user be visiting a compromised site for any malicious action to occur. For instance, after an attacker has successfully submitted a specially crafted web request to a target site, any webpage on that site that contains the specially crafted content is a potential vector for cross-site scripting attacks. When a user visits a webpage that contains the specially crafted content, the script could be run in the security context of the user.

The security update addresses the vulnerability by modifying how SharePoint validates web requests.

Microsoft received information about the vulnerabilities through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that these vulnerabilities had been publicly used to attack customers.

Mitigating Factors

Microsoft has not identified any mitigating factors for these vulnerabilities.

Workarounds

Microsoft has not identified any workarounds for these vulnerabilities. 

Microsoft Office Malformed EPS File Vulnerability - CVE-2015-2545

A remote code execution vulnerability exists in Microsoft Office that could be exploited when a user opens a file containing a malformed graphics image or when a user inserts a malformed graphics image into an Office file. Such a file could also be included in an email attachment. An attacker could exploit the vulnerability by constructing a specially crafted EPS file that could allow remote code execution. An attacker who successfully exploited this vulnerability could take control of the affected system.

This vulnerability could not be exploited automatically through a Web-based attack scenario. An attacker could host a specially crafted website containing an Office file that is designed to exploit the vulnerability, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an instant messenger or email message that takes users to the attacker's website, or by getting them to open an attachment sent through email.

If Microsoft Word is the selected email reader, which is the default setting, then an attacker could leverage Outlook for an email-based attack by sending a specially crafted file, containing an EPS image binary, to the targeted user. In this scenario this attack vector requires minimal user action (as in viewing a specially crafted email through the preview pane in Outlook) to be exploited.

Workstations and terminal servers that have Microsoft Office installed are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

Microsoft received information about the vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had received reports of limited targeted attacks using this vulnerability.

Mitigations

The following mitigating factors may be helpful in your situation:

  • This vulnerability could not be exploited automatically through a Web-based attack scenario. An attacker would have to host a website that contains an Office file containing a specially crafted EPS image that is used to attempt to exploit this vulnerability. An attacker would have no way to force users to visit a malicious website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link that takes them to the attacker's site, and then convince the user to open the file in an affected Microsoft Office application.
  • The vulnerability could be exploited by an attacker who convinced a user to open a specially crafted file. There is no way for an attacker to force a user to open a specially crafted file.

Workarounds

The following workarounds may be helpful in your situation:

  • Modify the Access Control List to deny access to EPSIMP32.FLT for ALL USERS
    There are two ways to implement this workaround. You can manually apply the workaround by using either the Registry Method or the Script Method to deny access to EPSIMP32.FLT for ALL USERS. Alternatively, see Microsoft Knowledge Base Article 3092845 to use the automated Microsoft Fix it solutions.
Note:
See Microsoft Knowledge Base Article 3092845to use automated Microsoft Fix it Solution 51037 to deny access to EPSIMP32.FLT.

Registry Method

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  1. Click Start, click Run, type regedit.exe, and then click OK.
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Graphics Filters\Import\EPS
  3. Take note of the value of Path. In explorer, navigate to the EPSIMP32.FLT file at the location listed as the value of Path.
  4. Right click on EPSIMP32.FLT file and select Properties.
  5. On the Security tab, click Advanced.
  6. Clear the Allow inheritable permissions from the parent to propagate to this object… checkbox and click Remove.
  7. Click OK, Yes, and then OK.

Script Method

For all supported 32-bit editions of OS 
Run the following commands from a command prompt as an administrator:
takeown /f "%ProgramFiles%\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT" icacls "%ProgramFiles%\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT" /save %TEMP%\ EPSIMP32 _ACL.TXT icacls "%ProgramFiles%\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT" /deny everyone:(F)

For all supported x64-based editions of OS
Run the following commands from a command prompt as an administrator:
takeown /f "%ProgramFiles(x86)%\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT" icacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT" /save %TEMP%\ EPSIMP32 _ACL.TXT icacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT" /deny everyone:(F)

Impact of workaround: This workaround prevents EPS files from loading in Office, which may prevent certain images from displaying properly in Office. This setting must be reverted before installing future security updates.

How to undo the workaround

You can undo the workaround by running the commands from a command prompt as shown here. Alternatively, see Microsoft Knowledge Base Article 3092845 to use the automated Microsoft Fix to undo the workaround.

Note:
See Microsoft Knowledge Base Article 3092845to use automated Microsoft Fix it Solution 51038 to undo the workaround.

For all supported 32-bit editions of OS
Run the following command from a command prompt as an administrator:

icacls "%ProgramFiles%\Common Files\Microsoft Shared\GRPHFLT" /restore %TEMP%\EPSIMP32_ACL.TXT

For all supported x64-based editions of OS
Run the following command from a command prompt as an administrator:

icacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\GRPHFLT" /restore %TEMP%\EPSIMP32_ACL.TXT

Security Update Deployment

For Security Update Deployment information, see the Microsoft Knowledge Base article referenced in the Executive Summary.

Acknowledgments

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information. 

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (September 8, 2015): Bulletin published.
  • V2.0 (September 15, 2015): Bulletin revised to announce that the 3088502 update for Microsoft Office 2016 for Mac is available. For more information see Microsoft Knowledge Base Article 3088502.
  • V3.0 (September 30, 2015): Revised bulletin to announce the availability of an update package for Microsoft Office 2016. Customers running Microsoft Office 2016 should apply the 2910993 update to be protected from the vulnerabilities discussed in this bulletin. The majority of customers have automatic updating enabled and will not need to take any action because the update will be downloaded and installed automatically.
  • V4.0 (October 13, 2015): Revised bulletin to announce the availability of an update package for Microsoft Excel 2016. Customers running Microsoft Excel 2016 should apply update 2920693 to be protected from the vulnerabilities discussed in this bulletin. The majority of customers have automatic updating enabled and will not need to take any action because the update will be downloaded and installed automatically.
  • V5.0: (November 10, 2015): To comprehensively address CVE-2015-2545, Microsoft re-released security updates for all affected Microsoft Office software. Microsoft recommends that customers running affected editions of Microsoft Office software should install the security updates released with this bulletin revision to be fully protected from this vulnerability. Customers running other Microsoft Office software do not need to take any action. See Microsoft Knowledge Base Article 3089664 for more information.

Page generated 2015-11-11 10:53-08:00.