The following services within the listed versions of SharePoint are specifically affected:
- Excel Services in SharePoint Server 2007 Service Pack 3 (32 bit edition)
- Excel Services in SharePoint Server 2007 Service Pack 3 (64 bit edition)
- Excel Services in SharePoint Server 2010 Service Pack 2
- Excel Services in SharePoint Server 2013 Service Pack 1
- Word Automation Services in SharePoint Server 2013 Service Pack 1
Background Summary (from Microsoft's Bulletin)
The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
In addition, a cross-site scripting (XSS) vulnerability exists in SharePoint Foundation 2013 SP1 which could allow remote attackers to inject arbitrary web script or HTML via a specially crafted request.
The security updates provided by Microsoft address the vulnerabilities by:
- Correcting how Office handles objects in memory
- Providing a validly signed binary
- Helping to ensure that SharePoint Server properly sanitizes web requests
- VULNERABILITY DETAILS: All the information you need about this vulnerability and links to the required security patch can be found here: https://technet.microsoft.com/library/security/MS16-015.
- SECURITY UPDATES: Links to the security updates addressing all of these issues can be found at the link above, however a more direct link to the updates page for these security patches is the following: https://support.microsoft.com/en-us/kb/3134226.
- REPORTED EXPLOITS: According to Microsoft, at this time there are no reported exploits that have occurred using these vulnerabilities.
Additional details regarding the SharePoint related vulnerabilities are available at the National Vulnerability Database at the following links:
- Microsoft Office Memory Corruption Vulnerability – CVE-2016-0022 (Remote Code Execution via specially crafted Office document)
- Microsoft SharePoint XSS Vulnerability – CVE-2016-0039 (Elevation of Privileges via cross site scripting)
- Microsoft Office Memory Corruption Vulnerability – CVE-2016-0052 (Remote Code Execution via specially crafted Office document)
- Microsoft Office Memory Corruption Vulnerability – CVE-2016-0053 (Remote Code Execution via specially crafted Office document)
Security Strategy for VulnerabilitiesThis bulletin reminds us that a comprehensive security strategy is needed for managing our server applications to ensure that we are alerted to critical security updates and we can make informed decisions about updating our servers to ensure that they are protected. This is especially true when enterprises rely on SharePoint to store and manage sensitive corporate data. Sometimes these are managed through automatic updates. In other circumstances, automatic updates are turned off on Production environments so that patches and updates can be tested in Staging environments prior to deployment to Production systems. In many cases a mix of strategies is used, where critical security updates are automatically installed but other updates are not, so that they can be first tested in staging. Which ever strategy your organization chooses, its important to identify one, ensure that its comprehensive and documented, and that it includes active periodic review of security updates on all server applications.
Personally, I'm not a fan of automatic updates. I like to know what is getting installed on my systems, especially my servers - even when it comes to security updates. But not having updates applied automatically requires active research or alerts so that we are informed when vulnerabilities are found and security updates are available. I don't want to criticize automatic security updates - depending on your comfort level they are a viable strategy for managing security and protecting our servers from vulnerabilities. I am a big fan of Microsoft's technical security notification service, which you can register for here:
Once again, for the vulnerabilities discussed here, please refer to Microsoft's official bulletin for all details and required security patches which is located here: https://technet.microsoft.com/library/security/MS16-015.