Microsoft Security Bulletin MS15-059 - Important

  • Article

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3064949)

Published: June 9, 2015

Version: 1.0

Executive Summary

This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

This security update is rated Important for all supported editions of the following software:

  • Microsoft Office 2007
  • Microsoft Office 2010
  • Microsoft Office 2013
  • Microsoft Office 2013 RT

For more information, see the Affected Software section.

The security update addresses the vulnerabilities by correcting how Microsoft Office handles files in memory and by correcting how Microsoft Office parses specially crafted files. For more information about the vulnerabilities, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3064949

Affected Software

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle

Microsoft Office Software

Microsoft Office Suites Software Component Maximum Security Impact Aggregate Severity Rating Updates Replaced*
Microsoft Office 2007
Microsoft Office 2007 Service Pack 3 (file format converters) (2863812) Not applicable Remote Code Execution Important 2760415 in MS13-091
Microsoft Office 2010
Microsoft Office 2010 Service Pack 2 (32-bit editions) (2863817) Not applicable Remote Code Execution Important 2553284 in MS13-091
Microsoft Office 2010 Service Pack 2 (64-bit editions) (2863817) Not applicable Remote Code Execution Important 2553284 in MS13-091
Microsoft Office 2013
Microsoft Office 2013 Service Pack 1 (32-bit editions) (3039749) Not applicable Remote Code Execution Important None
Microsoft Office 2013 Service Pack 1 (64-bit editions) (3039749) Not applicable Remote Code Execution Important None
Microsoft Office 2013 Service Pack 1 (32-bit editions) (3039782) Not applicable Remote Code Execution Important None
Microsoft Office 2013 Service Pack 1 (64-bit editions) (3039782) Not applicable Remote Code Execution Important None
Microsoft Office 2013 RT
Microsoft Office 2013 RT Service Pack 1 (3039749) [1] Not applicable Remote Code Execution Important None
Microsoft Office 2013 RT Service Pack 1 (3039782) [1] Not applicable Remote Code Execution Important None

[1]This update is available via Windows Update

*The Updates Replaced column shows only the latest update in a chain of superseded updates. For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is on the Package Details tab).

Update FAQ

There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Affected Software table for the software?
Yes. Customers should apply all updates offered for the software installed on their systems.

I am being offered an update for software that is not specifically listed in the Affected Software table. Why am I being offered this update?
When an update addresses vulnerable code that exists in a component that is shared between multiple Microsoft Office products or shared between multiple versions of the same Microsoft Office product, the update is considered to be applicable to all supported products and versions that contain the vulnerable component.

For example, when an update applies to Microsoft Office 2007 products, only Microsoft Office 2007 may be specifically listed in the Affected Software table. However, the update could apply to Microsoft Word 2007, Microsoft Excel 2007, Microsoft Visio 2007, Microsoft Compatibility Pack, Microsoft Excel Viewer, or any other Microsoft Office 2007 product that is not specifically listed in the Affected Software table.

For example, when an update applies to Microsoft Office 2010 products, only Microsoft Office 2010 may be specifically listed in the Affected Software table. However, the update could apply to Microsoft Word 2010, Microsoft Excel 2010, Microsoft Visio 2010, Microsoft Visio Viewer, or any other Microsoft Office 2010 product that is not specifically listed in the Affected Software table.

For example, when an update applies to Microsoft Office 2013 products, only Microsoft Office 2013 may be specifically listed in the Affected Software table. However, the update could apply to Microsoft Word 2013, Microsoft Excel 2013, Microsoft Visio 2013, or any other Microsoft Office 2013 product that is not specifically listed in the Affected Software table.

Severity Ratings and Vulnerability Identifiers

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the June bulletin summary.  

Microsoft Office Software

Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software Microsoft Office Memory Corruption Vulnerability - CVE-2015-1759 Microsoft Office Memory Corruption Vulnerability - CVE-2015-1760 Microsoft Office Uninitialized Memory Use Vulnerability - CVE-2015-1770 Aggregate Severity Rating
Microsoft Office 2007
Microsoft Office 2007 Service Pack 3 (file format converters) **Important **Remote Code Execution (2863812) **Important **Remote Code Execution (2863812) Not applicable Important
Microsoft Office 2010
Microsoft Office 2010 Service Pack 2 (32-bit editions) Not applicable **Important **Remote Code Execution (2863817) Not applicable Important
Microsoft Office 2010 Service Pack 2 (64-bit editions) Not applicable **Important **Remote Code Execution (2863817) Not applicable Important
Microsoft Office 2013
Microsoft Office 2013 Service Pack 1 (32-bit editions) Not applicable **Important **Remote Code Execution (3039749) **Important **Remote Code Execution (3039782) Important
Microsoft Office 2013 Service Pack 1 (64-bit editions) Not applicable **Important **Remote Code Execution (3039749) **Important **Remote Code Execution (3039782) Important
Microsoft Office 2013 RT
Microsoft Office 2013 RT Service Pack 1 Not applicable **Important **Remote Code Execution (3039749) **Important **Remote Code Execution (3039782) Important

 

Vulnerability Information

Microsoft Office Uninitialized Memory Use Vulnerability - CVE-2015-1770

A remote code execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could use a specially crafted file to perform actions in the security context of the current user. The file could then, for example, take actions on behalf of the logged-on user with the same permissions as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Exploitation of this vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message.

The security update addresses the vulnerability by correcting how Microsoft Office handles files in memory.

Microsoft received information about the vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that these vulnerability had been publicly used to attack customers.

Mitigating Factors

Microsoft has not identified any mitigating factors for these vulnerabilities.

Workarounds

The following workarounds may be helpful in your situation:

  • Disable ActiveX Controls in Office
    To disable ActiveX controls in an Office 2010 or Office 2013 program:

    1. Click File and then click Options.
    2. In the Options dialog box click Trust Center in the left pane.
    3. Click Trust Center Settings.
    4. In the Trust Center dialog box click ActiveX Settings in the left pane.
    5. Select Disable all controls without notification.
    6. Click OK two times to exit the Options dialog box and return to the document.  

    Impact of workaround. ActiveX controls will not work in Office documents.

    How to undo the workaround

    In an Office 2010 or 2013 program:

    1. Click File and then click Options.
    2. In the Options dialog box click TrustCenter in the left pane.
    3. Click ActiveXCenterSettings.
    4. Select Prompt me before enabling all controls with minimal restrictions.
    5. Click OK two times to exit the Options dialog box and return to the document.  

    To disable ActiveX controls using Registry Editor:

    Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

    1. Open Registry Editor.

    2. Access ActiveX settings by navigating to the following registry location:

      [HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Security]

    3. Select the DisableAllActiveX DWORD value (if it does not exist, then create it).

    4. Set the Data value to 1.

    5. Exit Registry Editor.

    Impact of workaround. ActiveX controls will not work in Office documents.

    How to undo the workaround

    1. Open Registry Editor.

    2. Access ActiveX settings by navigating to the following registry location:

      [HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Security].

    3. Select the DisableAllActiveX value.

    4. Set the Data value to 0.

    5. Exit Registry Editor.  

  • Disable the osf.Sandbox ActiveX control in Office using Registry Editor
    Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

    1. Open Registry Editor.

    2. Access ActiveX settings by navigating to the following registry location:

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{CDDBCC7C-BE18-4A58-9CBF-D62A012272CE}] (if it does not exist, then create it).

    3. Select the Compatibility Flags DWORD value (if it does not exist, then create it).

    4. Set the Data value to 400.

    5. Exit Registry Editor.

    Impact of workaround. Office documents that use the osf.Sandbox ActiveX control will not work.

    How to undo the workaround

    1. Open Registry Editor.

    2. Access ActiveX settings by navigating to the following registry location:

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{CDDBCC7C-BE18-4A58-9CBF-D62A012272CE}].

    3. Select the Compatibility Flags DWORD value.

    4. Set the Data value to 0.

    5. Exit Registry Editor.

Multiple Microsoft Office Memory Corruption Vulnerabilities

Remote code execution vulnerabilities exist in Microsoft Office software that is caused when the Office software improperly handles objects in memory while parsing specially crafted Office files. This could corrupt system memory in such a way as to allow an attacker to execute arbitrary code.

An attacker who successfully exploited these vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Exploitation of these vulnerabilities requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario an attacker could exploit the vulnerabilities by sending a specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerabilities. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message.

The security update addresses the vulnerabilities by correcting how Microsoft Office parses specially crafted files.

The following tables contain links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title CVE number Publicly Disclosed Exploited
Microsoft Office Memory Corruption Vulnerability CVE-2015-1759 No No
Microsoft Office Memory Corruption Vulnerability CVE-2015-1760 No No

 

Mitigating Factors

Microsoft has not identified any mitigating factors for these vulnerabilities.

Workarounds

The following workarounds may be helpful in your situation:

  • Use Microsoft Office File Block policy to prevent the opening of documents through Legacy Converters
    You can block specific types of files from being opened or saved in Excel, PowerPoint, and Word using Office File Block.

    To change the File Block settings in an Office 2010 or Office 2013 program:

    1. Click File and then click Options.
    2. In the Options dialog box click Trust Center in the left pane.
    3. Click Trust Center Settings.
    4. In the Trust Center dialog box click File Block Settings in the left pane.
    5. Select Open and Save for “Legacy Converters for Word”.
    6. In “Open behavior for selected file types” select Do not open selected file types.
    7. Click OK two times to exit the Options dialog box and return to the document.

     

    Impact of workaround. Users who have configured the File Block policy will be unable to open documents through Legacy Converters unless they are in Trusted Locations.

    How to undo the workaround

    In an Office 2010 or 2013 program:

    1. Click File and then click Options.
    2. In the Options dialog box click Trust Center in the left pane.
    3. Click Trust Center Settings.
    4. In the Trust Center dialog box click Restore Defaults.
    5. In the message box that appears click Restore Defaults.
    6. Click OK two times to exit the Options dialog box and return to the document.

     

  • To change the File Block settings using Registry Editor:
    Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

    For Office 2007:

    1. Open Registry Editor.

    2. Access File Block settings by navigating to the following registry location:

      [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock]

    3. Select the Converters DWORD value (if it does not exist, then create it)

    4. Set the Data value to 1.

    5. Exit Registry Editor.

     

    Note To use 'FileOpenBlock' with Office 2007, all of the latest Office 2007 security updates as of May 2007 must be applied.

    Impact of workaround. Users who have configured the File Block policy will be unable to open documents through Legacy Converters unless they are in Trusted Locations.

    How to undo the workaround

    1. Open Registry Editor.

    2. Access File Block settings by navigating to the following registry location:

      [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock]

    3. Select the Converters value.

    4. Set the Data value to 0.

    5. Exit Registry Editor.

     

    For Office 2010:

    1. Open Registry Editor.

    2. Access File Block settings by navigating to the following registry location:

      [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock]

    3. Select the Converters DWORD value (if it does not exist, then create it).

    4. Set the DATA value to 2.

    5. Select the OpenInProtectedView sub key (if it does not exist, then create it).

    6. Set the sub key DWORD registry value to 0 (if it does not exist, then create it).

    7. Exit Registry Editor.

     

    Impact of workaround. Users who have configured the File Block policy will be unable to open documents through Legacy Converters unless they are in Trusted Locations.

    How to undo the workaround

    1. Open Registry Editor.

    2. Access File Block settings by navigating to the following registry location:

      [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock]

    3. Select the Converters sub key.

    4. Set the sub key DWORD registry value to 0.

    5. Select the OpenInProtectedView sub key.

    6. Set the sub key DWORD registry value to 1.

    7. Exit Registry Editor.

     

    For Office 2013:

    1. Open Registry Editor.

    2. Access File Block settings by navigating to the following registry location:

      [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock]

    3. Select the Converters DWORD value (if it does not exist, then create it)

    4. Set the Data value to 2.

    5. Select the OpenInProtectedView DWORD value (if it does not exist, then create it)

    6. Set the Data value to 0.

    7. Exit Registry Editor.

     

    Impact of workaround. Users who have configured the File Block policy will be unable to open documents through Legacy Converters unless they are in Trusted Locations.

    How to undo the workaround

    1. Open Registry Editor.

    2. Access File Block settings by navigating to the following registry location:

      [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Security\FileBlock]

    3. Select the Converters value.

    4. Set the Data value to 0.

    5. Select the OpenInProtectedView value.

    6. Set Data value to 1.

    7. Exit Registry Editor.

     

    For instructions on how to configure Office File Block using either Group Policy or the Office Customization Tool (OCT), see Plan File block settings.

Security Update Deployment

For Security Update Deployment information, see the Microsoft Knowledge Base article referenced in the Executive Summary.

Acknowledgments

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information. 

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (June 9, 2015): Bulletin published.

Page generated 2015-07-23 9:20Z-07:00.