Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

SSD Advisory – Microsoft Office SMB Information Disclosure

From: Maor Shwartz <maors () beyondsecurity com>
Date: Sun, 15 Oct 2017 10:15:16 +0300
SSD Advisory – Microsoft Office SMB Information Disclosure

Full report: *https://blogs.securiteam.com/index.php/archives/3463
<https://blogs.securiteam.com/index.php/archives/3463>*
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD

*Vulnerability Summary*
The following advisory describes an information disclosure found in
Microsoft Office versions 2010, 2013, and 2016.

Microsoft Office is: “Whether you’re working or playing, Microsoft is here
to help. We’re the company that created Microsoft Office, including Office
365 Home, Office 365 Personal, Office Home & Student 2016, Office Home &
Business 2016, and Office Professional 2016. You can also get Office for
Mac. Whatever your needs—whether professional or simply for fun—we’ve got
you covered. The powerful software in Microsoft Office 2013 remains in
Microsoft Office 2016.”

*Credit*
An independent security researcher, Björn Ruytenberg, has reported this
vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

*Vendor response*
Microsoft was informed of the vulnerability, to which they response with:

“Upon investigation, we have determined that this submission does not meet
the bar for security servicing. Unfortunately images are commonly used in
emails and other locations that are sourced from external sites, those
sites can use that request for basic tracking information. Your report
about SMBTrap is also a well documented publicly disclosed item and would
not meet the bar. In addition the PoC requires a user to disable their
security, specifically the Protected View, stating that they trust the
source.

As such, this email thread has been closed and will no longer be monitored.”

--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 93CC36E2DE7FF514

Attachment: SSD Advisory – Microsoft Office SMB Information Disclosure – SecuriTeam Blogs.pdf
Description: 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: