Positive Technologies Helps Eliminate New Vulnerabilities in Microsoft Office

As part of its monthly update release, Microsoft issued thirteen bulletins, containing patches for forty- seven vulnerabilities in the company's products. Experts at Positive Technologies including Timur Yunusov, Alexey Osipov, and Ilya Karpov received credit for reporting the XML External Entities Resolution vulnerability, found in various Microsoft Office programs.

The information about the XML External Entities Resolution vulnerability (CVE-2013-3159 and CVE-2013-3160, later evolved into XXE OOB) and ways to exploit it was first presented by the Positive Technologies at Black Hat Europe 2013. Positive technologies found that an attacker can exploit these security flaws by creating special Office flies. Once successful, the attacker can view the contents of files on the target system.

The Microsoft Office vulnerabilities CVE-2013-3159 and CVE-2013-3160 can be fixed by applying information from Microsoft Security Bulletins MS13-073 for Excel and MS13-072 for other Microsoft Office applications. These fixes are intended to prevent remote code execution and unauthorized access to arbitrary contents.

Moreover, Microsoft Security Bulletin MS13-078 addresses the Information Disclosure vulnerability in Microsoft FrontPage 2003 SP 3 (CVE-2013-3137), discovered by Positive Technologies. This vulnerability potentially could give an attacker access to all files of a target system.

Positive Technologies has been cooperating with Microsoft since 2009 when are security experts published a network utility to check for patches described in the security Microsoft Security Bulletins MS08-065, MS08-067, and MS09-001. Further, in September 2012, Positive Technologies discovered the possibility of bypassing Intel SMEP security mechanisms, in the RTM version of Microsoft Windows 8.