Microsoft today warned that innocuous documents, including legitimate rich text format files (.rtf), text files (.txt), or Word documents (.doc) could be used in code execution attacks against Windows users.
As part of this month’s Patch Tuesday release, Microsoft shipped MS11-071 to address a publicly known vulnerability in Windows Components that could be exploited via Office documents.
From the bulletin:
The vulnerability could allow remote code execution if a user opens a legitimate rich text format file (.rtf), text file (.txt), or Word document (.doc) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The vulnerability is caused when specific Windows components incorrectly restrict the path used for loading external libraries, Microsoft explained.
Despite the risk of “remote code execution” attacks, Microsoft is rating this an “important” issue. The company says workstations and terminal servers are primarily at risk and warns that servers could be at more risk if administrators allow users to log on to servers and to run programs.
A separate bulletin (MS11-072) provides cover for a total of five documented vulnerabilities in Microsoft Office. The company said these vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file.
Microsoft’s flagship Office productivity suite is also affected by a third bulletin (MS11-072) that provides fixes for a pair of remote code execution vulnerabilities.
The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file or if a user opens a legitimate Office file that is located in the same network directory as a specially crafted library file.
This month’s Patch Tuesday batch also includes a fix for an elevation of privilege vulnerability in WINS that could be exploited if a user received a specially crafted WINS replication packet on an affected system running the WINS service.
An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability, Microsoft said. Patches for this flaw was included in the “important” (MS11-072) bulletin.
The company also issued a fix for a total of six vulnerabilities in Microsoft SharePoint and Windows SharePoint Services.
“The most severe vulnerabilities could allow elevation of privilege if a user clicked on a specially crafted URL or visited a specially crafted Web site,” Microsoft said.
For the most severe vulnerabilities, Internet Explorer 8 and Internet Explorer 9 users browsing to a SharePoint site in the Internet Zone are at a reduced risk because, by default, the XSS Filter in Internet Explorer 8 and Internet Explorer 9 helps to block the attacks in the Internet Zone. The XSS Filter in Internet Explorer 8 and Internet Explorer 9, however, is not enabled by default in the Intranet
Story: By Ryan Naraine | September 13, 2011, 12:33pm PDT at ZDNet.com