ALERT: Multiple vulnerabilities in Microsoft Office could allow remote code execution

Wednesday, April 15, 2015

This information was sent to U-M IT staff groups on April 15, 2015.

This message is intended for U-M IT staff who are responsible for maintaining, running, and supporting university machines with Microsoft Office installed.

Summary: 

Multiple vulnerabilities have been discovered in Microsoft Office that could allow remote code execution. Microsoft reports that one of the vulnerabilities affecting Microsoft Office for Windows (CVE-2015-1641) is being actively exploited. Microsoft has released updates to address these vulnerabilities.

Problem: 

Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Affected Versions: 
  • Microsoft Office 2007, 2010, 2013 (including 2013 RT)
  • Microsoft Office for Mac 2011, Office 365
  • Microsoft Office Web Apps Server 2010, 2013
  • Word Automation Services on Microsoft SharePoint Server 2010, 2013
  • Microsoft Word Viewer, Microsoft Office Compatibility Pack
Action Items: 

Apply the Microsoft patches as soon as possible after appropriate expedited testing.

Threats: 

Microsoft has reported that CVE-2015-1641 is being exploited in the wild. Successful exploitation can result in execution of arbitrary code. There are currently no reports of the other Microsoft Office vulnerabilities being exploited in the wild, but at least three of these vulnerabilities could lead to malicious code execution. In many cases, criminals are able to rapidly produce exploits after the release of patches.

Technical Details: 

Multiple vulnerabilities have been discovered in Microsoft Office, several of which could allow for remote code execution:

  • CVE-2015-1641 is a memory-corruption vulnerability that could allow for remote code execution. It exists in Microsoft Office software when the Office software fails to properly handle rich text format files in memory. An attacker who successfully exploits the vulnerability could use a specially crafted file to perform actions in the security context of the current user. The file could then, for example, take actions on behalf of the logged-on user with the same permissions as the current user.
  • CVE-2015-1639 is a vulnerability in Microsoft Outlook App for Mac that could allow for elevation of privileges when the software improperly sanitizes HTML strings.
  • CVE-2015-1649, CVE-2015-1650, and CVE-2015-1651 are use-after-free vulnerabilities that could allow for remote code execution.
Information for Users: 

MiWorkspace machines will be patched as soon as possible. If you have Microsoft Office installed on your own devices that are not managed by the university, please update Microsoft Office as soon as possible.

  • Windows devices. Update Microsoft Office using Windows Update.
  • Macs. Update Microsoft Office by opening a Microsoft Office program (such as Word, PowerPoint, or Excel), clicking Help, then selecting Check for Updates.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.

Sincerely, 
Don Welch, 
University of Michigan Chief Information Security Officer