Microsoft is urging businesses to prioritize a patch for Microsoft Office in order to thwart a spate of ongoing, targeted attacks that have appeared in the wild.
The vulnerability is covered in bulletin MS13-051, and can be exploited by an attacker to remotely execute code if a user opens a specially-crafted Office document using a vulnerable version of Microsoft Office software, or previews or opens a malicious email in Outlook while using Microsoft Word as the email reader.
According to Microsoft, there have been limited, targeted attacks attempting to exploit the issue, which is rated ‘Important’ for Microsoft Office 2003 and Office for Mac 2011.
“It’s disappointing to see that Mac users of Microsoft software get the short end of the stick when it comes to security,” said Tyler Reguly, technical manager of security research at Tripwire. “You have to wonder how a vulnerability that only affects Office 2003 is also in Office for Mac 2011. As a Mac user, I find this advisory very disconcerting.”
The patch for the vulnerability is tucked within a number of other updates in this month’s Patch Tuesday. All totaled, 23 vulnerabilities across Internet Explorer, Windows and Office were fixed. Nineteen of the vulnerabilities are in the critical update for Internet Explorer.
“Four out of these 19 vulnerabilities (CVE-2013-3112,CVE-2013-3113, CVE-2013-3121, and CVE-2013-3142) affect every supported version of Internet Explorer, so attackers will be targeting these vulnerabilities prior to attempting to exploit any of the others,” said BeyondTrust CTO Marc Maiffret. “Also, while the script debugging vulnerability grants remote code execution, it will not be a target for attackers, since it requires far more user interaction than a simple drive-by exploit would require.”
Default Internet Explorer configurations are not vulnerable since script debugging must be enabled, he said.
“Attackers will not want to rely on users to correctly start debugging scripts on a web page, so they will be focused on one or more of the memory corruption vulnerabilities,” he explained.
Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing, blogged that the company has not yet detected any attacks utilizing the IE vulnerabilities.
“For those who need to prioritize deployment, we recommend focusing on MS13-047 and MS13-051 first. As always, customers should deploy all security updates as soon as possible,” Childs noted.
