MS14 081 Vulnerability in SharePoint

MS14 081 Vulnerability in SharePoint

Version 1.0

Seems like this year has been really hard on Office Web Apps and Word Services within SharePoint 2010 / 2013 for security reasons.

Microsoft released another security bulletin that impacts:

  • SharePoint 2010
  • SharePoint 2013
  • Office Web Apps 2013
  • Microsoft Project Server 2010 / 2013 
  • and other application that leverages SharePoint platform

Here is the security bulletin that is ranked as critical.

Microsoft Security Bulletin MS14-081 – Critical
Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301)

Resources

Following are the important resources on this issue.

  1. MS14-081: Vulnerabilities in Microsoft Word and Office Web Apps could allow remote code execution: December 9, 2014
  2. MS14-081: Description of the security update for SharePoint Server 2010: December 9, 2014
  3. CVE-ID Use After Free Word Remote Code Execution Vulnerability – CVE-2014-6357
  4. National Vulnerability Database
  5. SecurityFocus
  6. US-Cert Security Bulletin

Download Updates:

  1. Security Update for Microsoft SharePoint Server 2010 (KB2899581)
  2. Security Update for Microsoft SharePoint Enterprise Server 2013 (KB2883050)


Mitigating Factors

  • An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • The vulnerability cannot be exploited automatically through email. For an attack to be successful a user must open an attachment that is sent in an email message.
  • In a web-based attack scenario, an attacker could host a website that contains a file that is used to attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s site, and then convince them to open the specially crafted file in an affected version of Microsoft Office software.

Workaround

No workaround available so far.

Visit www.softvative.com for professional and Managed services for your SharePoint Farms.

Leave a Reply

Enter the CAPTCHA * Time limit is exhausted. Please reload CAPTCHA.