The following services within the listed versions of SharePoint are specifically affected:
- Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 2
- Word Automation Services on Microsoft SharePoint Server 2013 Service Pack 1
- Microsoft Office Web Apps 2010 Service Pack 2
- Microsoft Web Apps Server 2013 Service Pack 1
Background Summary (from Microsoft's Bulletin)
The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
A security feature bypass vulnerability exists in Microsoft Office software due to an invalidly signed binary. An attacker who successfully exploited the vulnerability could use a similarly configured binary to host malicious code. A defender would then not be able to rely on a valid binary signature to differentiate between a known good and a malicious binary. To successfully exploit this vulnerability, an attacker would have to have write access to the target location that contains the invalidly signed binary. The attacker could then overwrite the original file with their own malicious file and wait for an application, or user, to trigger the malicious binary.
The security updates provided by Microsoft address the vulnerabilities by:
- Providing a validly signed binary
- Correcting how Office handles objects in memory
- VULNERABILITY DETAILS: All the information you need about this vulnerability and links to the required security patch can be found here: https://technet.microsoft.com/en-us/library/security/ms16-029.
- UPDATE: updates addressing these vulnerabilities are available for SharePoint 2013 through the March 2016 Cumulative Update and through Windows Update.
- WORKAROUND: There is a workaround available for the Microsoft Office Memory Corruption Vulnerability. Details of the workaround involve disabling the OLE Package function in Outlook and available at the Microsoft link provided. The workaround would likely only assist with protecting Microsoft Office installations on desktops and not SharePoint installations from this vulnerability.
- REPORTED EXPLOITS: According to Microsoft, at this time there are no reported exploits that have occurred using these vulnerabilities.
Additional details regarding the SharePoint related vulnerabilities are available at the National Vulnerability Database at the following links:
- Microsoft Office Memory Corruption Vulnerability - CVE-2016-0021
- Microsoft Office Memory Corruption Vulnerability - CVE-2016-0134
- Microsoft Office Security Feature Bypass Vulnerability - CVE-2016-0057