Kaspersky Threats

Detect date

?

07/11/2017

Severity

?

Critical

Description

Multiple serious vulnerabilities have been found in Microsoft Office. Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges and spoof user interface.

Below is a complete list of vulnerabilities:

Multiple vulnerabilities related to improper handling of objects in memory in Microsoft Office can be exploited via a specially designed file to execute arbitrary code;
Multiple vulnerabilities related to incorrect handling of web requests in Microsoft Exchange Outlook Web Access can be exploited by sending a specially designed email message containing a malicious link to a user to execute arbitrary code;
An improper sanitization of web requests in Microsoft SharePoint Server can be exploited via a specially designed web request to gain privileges;
An open redirect vulnerability in Microsoft Exchange can be exploited by sending a link that has a specially designed URL and convincing a user to open it to spoof user interface.

Affected products

Microsoft Exchange Server 2016 Cumulative Update 5
Microsoft Business Productivity Servers 2010 Service Pack 2
Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 2
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1
Microsoft Office 2016
Microsoft Office Web Apps 2010 Service Pack 2
Microsoft Office 2016 for Mac
Microsoft Office Compatibility Pack Service Pack 3
Microsoft Office for Mac 2011
Microsoft Office Online Server 2016
Microsoft Excel 2007 Service Pack 3
Microsoft Excel 2010 Service Pack 2
Microsoft Excel 2013 Service Pack 1
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2016
Microsoft Excel Viewer 2007 Service Pack 3
Microsoft SharePoint Enterprise Server 2013
Microsoft SharePoint Enterprise Server 2016
Microsoft Exchange Server 2010 Service Pack 3
Microsoft Exchange Server 2013 Cumulative Update 16
Microsoft Exchange Server 2013 Service Pack 1

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Original advisories

CVE-2017-0243
CVE-2017-8501
CVE-2017-8502
CVE-2017-8569
CVE-2017-8570
CVE-2017-0243
CVE-2017-8501
CVE-2017-8502
CVE-2017-8570

Impacts

?

ACE

[?]

PE

[?]

SUI

[?]

Detect date ?	07/11/2017
Severity ?	Critical
Description	Multiple serious vulnerabilities have been found in Microsoft Office. Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges and spoof user interface. Below is a complete list of vulnerabilities: Multiple vulnerabilities related to improper handling of objects in memory in Microsoft Office can be exploited via a specially designed file to execute arbitrary code; Multiple vulnerabilities related to incorrect handling of web requests in Microsoft Exchange Outlook Web Access can be exploited by sending a specially designed email message containing a malicious link to a user to execute arbitrary code; An improper sanitization of web requests in Microsoft SharePoint Server can be exploited via a specially designed web request to gain privileges; An open redirect vulnerability in Microsoft Exchange can be exploited by sending a link that has a specially designed URL and convincing a user to open it to spoof user interface.
Affected products	Microsoft Exchange Server 2016 Cumulative Update 5 Microsoft Business Productivity Servers 2010 Service Pack 2 Microsoft Office 2007 Service Pack 3 Microsoft Office 2010 Service Pack 2 Microsoft Office 2013 RT Service Pack 1 Microsoft Office 2013 Service Pack 1 Microsoft Office 2016 Microsoft Office Web Apps 2010 Service Pack 2 Microsoft Office 2016 for Mac Microsoft Office Compatibility Pack Service Pack 3 Microsoft Office for Mac 2011 Microsoft Office Online Server 2016 Microsoft Excel 2007 Service Pack 3 Microsoft Excel 2010 Service Pack 2 Microsoft Excel 2013 Service Pack 1 Microsoft Excel 2013 RT Service Pack 1 Microsoft Excel 2016 Microsoft Excel Viewer 2007 Service Pack 3 Microsoft SharePoint Enterprise Server 2013 Microsoft SharePoint Enterprise Server 2016 Microsoft Exchange Server 2010 Service Pack 3 Microsoft Exchange Server 2013 Cumulative Update 16 Microsoft Exchange Server 2013 Service Pack 1
Solution	Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)
Original advisories	CVE-2017-0243 CVE-2017-8501 CVE-2017-8502 CVE-2017-8569 CVE-2017-8570 CVE-2017-0243 CVE-2017-8501 CVE-2017-8502 CVE-2017-8570
Impacts ?	ACE [?] PE [?] SUI [?]
Related products	Microsoft Office Microsoft Excel Microsoft Sharepoint Server Microsoft Exchange Server
CVE-IDS ?	CVE-2017-02439.3Critical CVE-2017-85019.3Critical CVE-2017-85029.3Critical CVE-2017-85709.3Critical CVE-2017-85696.5High
Microsoft official advisories	Microsoft Security Update Guide
KB list	3213537 2880514 3191833 3191894 3191897 3191902 3191907 3203459 3203468 3203469 3203477 3212224 3213544 3213545 3213555 3213559 3213624 3213640 3213657