ASB-2017.0215 - [Win] Microsoft Office and Sharepoint: Multiple vulnerabilities 2017-12-13

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2017.0215
           Security patches for Microsoft Office and Sharepoint
                             13 December 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Microsoft Office
                      Microsoft Sharepoint
Operating System:     Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Increased Privileges            -- Existing Account            
                      Access Confidential Data        -- Remote with User Interaction
Resolution:           Alternate Program
CVE Names:            CVE-2017-11939 CVE-2017-11936 CVE-2017-11935
                      CVE-2017-11934  
Member content until: Friday, January 12 2018

OVERVIEW

        Microsoft has released its monthly security patch update for the
        month of December 2017. [1]
        
        This update resolves 6 vulnerabilities across the following products: 
        
         Microsoft Office 2010 Service Pack 2 (32-bit editions)
         Microsoft Office 2010 Service Pack 2 (64-bit editions)
         Microsoft Office 2013 RT Service Pack 1
         Microsoft Office 2013 Service Pack 1 (32-bit editions)
         Microsoft Office 2013 Service Pack 1 (64-bit editions)
         Microsoft Office 2016 (32-bit edition)
         Microsoft Office 2016 (64-bit edition)
         Microsoft Office 2016 Click-to-Run (C2R) for 32-bit editions
         Microsoft Office 2016 Click-to-Run (C2R) for 64-bit editions
         Microsoft Office 2016 for Mac
         Microsoft SharePoint Enterprise Server 2016
         Microsoft Word 2007 Service Pack 3
         Microsoft Word 2010 Service Pack 2 (32-bit editions)
         Microsoft Word 2010 Service Pack 2 (64-bit editions)
         Microsoft Word 2013 RT Service Pack 1
         Microsoft Word 2013 Service Pack 1 (32-bit editions)
         Microsoft Word 2013 Service Pack 1 (64-bit editions)
         Microsoft Word 2016 (32-bit edition)
         Microsoft Word 2016 (64-bit edition)


IMPACT

        Microsoft has given the following details regarding these vulnerabilities.
        
         Details         Impact                   Severity
         ADV170021       Defense in Depth         None
         CVE-2017-11934  Information Disclosure   Important
         CVE-2017-11934  Information Disclosure   Important
         CVE-2017-11935  Remote Code Execution    Important
         CVE-2017-11936  Elevation of Privilege   Important
         CVE-2017-11939  Information Disclosure   Important


MITIGATION

        Microsoft recommends updating the software with the version made
        available on the Microsoft Update Cataloge for the following
        Knowledge Base articles. [1]
        
        
         KB4011575, KB4011277, KB4011576, KB4011608, KB4011095
         KB4011612, KB4011590, KB4011614


REFERENCES

        [1] Security Update Guide
            https://portal.msrc.microsoft.com/en-us/security-guidance

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWjByFYx+lLeg9Ub1AQibaQ//aKfRG69/9BzzhKFtRVjzqc7tB9sEvirb
zrwY1Ol4RzQ1+OqeCrVjRk3y6ZevTASf2tJSVmU02FrrE22PQntNARmmyc6XXkKf
Ih0toQ60fYPYxGAUldE+i4BVKk5zLmmKXt+SGA5UP9LbpqA2B/AESTtG5DvxtvaF
o0Oe7yhHDdVVBxDvtxN2Vq81C7u/SM/KmbKGXim3bD1lkYLYrg5wIXgYnEUZ+aha
V7zn1HRt5+TbrcLBIsG51Z7++uCOvgnSPyZoPNltHKaUnxwKnb2CMDfCn4YXp4u9
ZST4O2K8C5F6+OIZk2t3QU4/yzQ6UoySux6txGD2J7t+VBUk4SSZxYDzBtUJm/UO
009KQ77yYVoHYcQLjGulzkHkF29kFvHOrMDhn52w0RpiB2kQbdQOoZ8IjvzU6P1Y
XTSFwoj7H8wEE8I7/HZAP68xQzfI+rwtDmHmrSQa6Px1bwfKep/Fx9ff9Ql38du6
FRQj/o1rU827/2ir9legMd3ShV+C/x2wZ96kfKD69SFyoIb2hbA/LL6TRZh1Kzjd
OSgufLtm1MG2JyNrQsqgCMjxSEjAdBXL8mptL3G4LCG8Kv+EZDQOwRYLvyWETPNm
f1IwZ8WCRHes03o16WMDdvCRzJvUvtvfs6b6twU9jbNpRCvDo48JzLNtcnOEPNn7
ZdOgSAG6Om8=
=fxDC
-----END PGP SIGNATURE-----

« Back to bulletins