Summary:

· These vulnerabilities affect: SharePoint, SharePoint Foundation, and Visio Viewer 2010, which are all part of Microsoft's Office suite of products

· How an attacker exploits them: Multiple vectors of attack, including luring your users to a malicious web site or link, and enticing them to open malicious Visio files

· Impact: In the worst case, an attacker can execute code, potentially gaining complete control of your computer

· What to do: Install the appropriate SharePoint and Visio patches as soon as you can, or let Windows Update do it for you.

Exposure:

Yesterday, Microsoft released two Office-related security bulletins describing eight vulnerabilities found in SharePoint, SharePoint Foundation, and Visio Viewer 2010 -- all part of Microsoft's Office suite of products. Microsoft rates both bulletins as Important. We summarize the bulletins below:

· MS12-011: Three SharePoint XSS Vulnerabilities

SharePoint and SharePoint Foundation are Microsoft's web and document collaboration and management platforms. They both suffer from three Cross-Site Scripting vulnerabilities (XSS) that could allow an attacker to elevate his privileges. By enticing one of your users to visit a malicious web page or into clicking a specially crafted link, an attacker could exploit any of these flaws to gain that user's privilege on your SharePoint server. This means the attacker could view or change all the documents which that user could. These flaws only affect the latest 2010 version of SharePoint.

Microsoft rating: Important.

· MS12-015: Five Visio Viewer Memory Corruption Vulnerabilities

Microsoft Visio is a popular diagramming program, which many network administrators use to create network diagrams. Visio Viewer is a free program that anyone can use to view those diagrams. Visio Viewer suffers from five code execution vulnerabilities, all involving the way it handles specially crafted Visio documents. Though the flaws differ technically, they share the same scope and impact. If an attacker can entice one of your users into downloading and opening a maliciously crafted Visio document, he can exploit any of these vulnerabilities to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. These flaws only affect Visio Viewer 2010, not the commercial Visio product.

Microsoft rating: Important

Solution Path

Microsoft has released SharePoint and SharePoint Foundation patches that correct these vulnerabilities. You should download, test, and deploy the appropriate SharePoint patches as soon as you can. If you choose, you can also let Windows Update automatically download and install these updates for you, though we recommend you test server patches before deploying them to production environments.

The links below take you directly to the “Affected and Non-Affected Software” section for each bulletin, where you will find links for the various updates:

· MS12-011

MS12-015