ASB-2018.0007.2 - UPDATE [Win][Mac] Microsoft Office Services and Web Apps: Multiple vulnerabilities 2018-01-19

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2018.0007.2
        January 2018 updates for Microsoft Office, Microsoft Office
                           Services and Web Apps
                              19 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Microsoft Office Services and Web Apps
Operating System:     Windows
                      Mac OS
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Increased Privileges            -- Existing Account            
                      Cross-site Scripting            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Reduced Security                -- Unknown/Unspecified         
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-0819 CVE-2018-0812 CVE-2018-0807
                      CVE-2018-0806 CVE-2018-0805 CVE-2018-0804
                      CVE-2018-0802 CVE-2018-0801 CVE-2018-0799
                      CVE-2018-0798 CVE-2018-0797 CVE-2018-0796
                      CVE-2018-0795 CVE-2018-0794 CVE-2018-0793
                      CVE-2018-0792 CVE-2018-0791 CVE-2018-0790
                      CVE-2018-0789  
Member content until: Friday, February  9 2018

Revision History:     January 19 2018: To address a known issue with installing
                                       security update 4011021, Microsoft is
                                       announcing the availability of security
                                       update 4011022 as a replacement. Customers
                                       who experienced problems installing
                                       4011021 should install 4011022.
 
                                       Microsoft is announcing the availability
                                       of the 16.9.18011602 update for Microsoft
                                       Office 2016 for Mac. Customers running
                                       affected Mac software should install the
                                       update for their product to be protected
                                       from this vulnerability. Customers
                                       running other Microsoft Office software
                                       do not need to take any action.
                      January 10 2018: Initial Release

OVERVIEW

        Microsoft has released its monthly security patch update for the month
        of January 2018. [1]
        
        This update resolves 20 vulnerabilities across the following products: 
        
         Microsoft Excel  2016 Click-to-Run (C2R) for 32-bit editions
         Microsoft Excel  2016 Click-to-Run (C2R) for 64-bit editions
         Microsoft Excel 2007 Service Pack 3
         Microsoft Excel 2010 Service Pack 2 (32-bit editions)
         Microsoft Excel 2010 Service Pack 2 (64-bit editions)
         Microsoft Excel 2013 RT Service Pack 1
         Microsoft Excel 2013 Service Pack 1 (32-bit editions)
         Microsoft Excel 2013 Service Pack 1 (64-bit editions)
         Microsoft Excel 2016 (32-bit edition)
         Microsoft Excel 2016 (64-bit edition)
         Microsoft Excel Viewer 2007 Service Pack 3
         Microsoft Office 2007 Service Pack 3
         Microsoft Office 2010 Service Pack 2 (32-bit editions)
         Microsoft Office 2010 Service Pack 2 (64-bit editions)
         Microsoft Office 2013 RT Service Pack 1
         Microsoft Office 2013 Service Pack 1 (32-bit editions)
         Microsoft Office 2013 Service Pack 1 (64-bit editions)
         Microsoft Office 2016 (32-bit edition)
         Microsoft Office 2016 (64-bit edition)
         Microsoft Office 2016 Click-to-Run (C2R) for 32-bit editions
         Microsoft Office 2016 Click-to-Run (C2R) for 64-bit editions
         Microsoft Office 2016 for Mac
         Microsoft Office Compatibility Pack Service Pack 3
         Microsoft Office Online Server 2016
         Microsoft Office Web Apps 2010 Service Pack 2
         Microsoft Office Web Apps Server 2013 Service Pack 1
         Microsoft Office Word Viewer
         Microsoft Outlook 2007 Service Pack 3
         Microsoft Outlook 2010 Service Pack 2 (32-bit editions)
         Microsoft Outlook 2010 Service Pack 2 (64-bit editions)
         Microsoft Outlook 2013 RT Service Pack 1
         Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
         Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
         Microsoft Outlook 2016 (32-bit edition)
         Microsoft Outlook 2016 (64-bit edition)
         Microsoft SharePoint Enterprise Server 2013 Service Pack 1
         Microsoft SharePoint Enterprise Server 2016
         Microsoft SharePoint Foundation 2010 Service Pack 2
         Microsoft SharePoint Server 2010 Service Pack 2
         Microsoft Word 2007 Service Pack 3
         Microsoft Word 2010 Service Pack 2 (32-bit editions)
         Microsoft Word 2010 Service Pack 2 (64-bit editions)
         Microsoft Word 2013 RT Service Pack 1
         Microsoft Word 2013 Service Pack 1 (32-bit editions)
         Microsoft Word 2013 Service Pack 1 (64-bit editions)
         Microsoft Word 2016 (32-bit edition)
         Microsoft Word 2016 (64-bit edition)


IMPACT

        Microsoft has given the following details regarding these vulnerabilities.
        
         Details         Impact                   Severity
         ADV180003       Defense in Depth         None
         CVE-2018-0789   Spoofing                 Important
         CVE-2018-0790   Information Disclosure   Important
         CVE-2018-0791   Remote Code Execution    Important
         CVE-2018-0792   Remote Code Execution    Important
         CVE-2018-0793   Remote Code Execution    Important
         CVE-2018-0794   Remote Code Execution    Important
         CVE-2018-0795   Remote Code Execution    Important
         CVE-2018-0796   Remote Code Execution    Important
         CVE-2018-0797   Remote Code Execution    Critical
         CVE-2018-0798   Remote Code Execution    Important
         CVE-2018-0799   Tampering                Important
         CVE-2018-0801   Remote Code Execution    Important
         CVE-2018-0802   Remote Code Execution    Important
         CVE-2018-0804   Remote Code Execution    Low
         CVE-2018-0805   Remote Code Execution    Important
         CVE-2018-0806   Remote Code Execution    Important
         CVE-2018-0807   Remote Code Execution    Important
         CVE-2018-0812   Remote Code Execution    Important
         CVE-2018-0819   Spoofing                 Important


MITIGATION

        Microsoft recommends updating the software with the version made 
        available on the Microsoft Update Cataloge for the following Knowledge
        Base articles. [1]
        
         KB3141547, KB3114998, KB4011632, KB4011021, KB4011636
         KB4011637, KB4011639, KB4011574, KB4011656, KB4011657
         KB4011651, KB4011653, KB4011610, KB4011611, KB4011658
         KB4011659, KB4011201, KB4011579, KB4011599, KB4011627
         KB4011626, KB4011622, KB4011273, KB4011615, KB4011660
         KB4011609, KB4011643, KB4011642, KB4011641, KB4011580
         KB4011602, KB4011648, KB4011607, KB4011606, KB4011605
         KB4011213  KB4011022


REFERENCES

        [1] Security Update Guide
            https://portal.msrc.microsoft.com/en-us/security-guidance

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWmFFjox+lLeg9Ub1AQi7dxAAhu6/J7C/JY8oFFPJvF1QZMwVGcWHoh4Y
OBiViXD4Wx8pgkefsSN60bmwpzW2PZmjHwsoU0n4nIyHUKU84gXqTtxSgdl630rd
udUHcHTct+hnpKn46+khQ3JrvBAh4X6ZiERdRkN3QM3uRS4a8brAuJdVasumSA28
6EZaKp18VAwr/5gwlJcju+EtJ6iqI/BjE9ImGHoDX5dmKHIdaHDXHLm1J45zUU6p
Q4+eV3IcIa8i3PGmynupbcifGXTS816qq/t0gVJ6hxhnnHjsAN0NBJcVRxsrC3dX
jvwks+jlaRzrAbdZuG9hgSEvWBYe4E05W/G9iDswZhJEFqBCbnndbgeBgyfIcHl7
MmgCEGCXET1IuAMFseulH6GZkbQNbsgieRuQqw53SxjbZh0ojqEWDb9Aymnci/Oy
vRm3PTiw7HjXIixYQD9rd+F3KkchVOEqjcEXf/B0Mp3ARW2T9plkkkNwE2jNSMMP
k8Ax71RbUwwmpWSaj0SyDHdCPKiLZvWV2wzKrF27rN7B1SylUFgp1IKxTdrIpyXX
OZ2bU6uDQdVpSDmwvpwHyVUB3prnmM/XxYbhxlOffzy1hpxpYL8vtsWq2TRm+kqX
iHYhgznYRszJCcENGYeC2daoB0OTkPlQSZkoiDMrpLR7z3/z/JTE0ySBnp52AIHa
pLMaGSHljpM=
=Uv1T
-----END PGP SIGNATURE-----

« Back to bulletins