Full Disclosure mailing list archives
SSD Advisory – Microsoft Office SMB Information Disclosure
From: Maor Shwartz <maors () beyondsecurity com>
Date: Sun, 15 Oct 2017 10:15:16 +0300
SSD Advisory – Microsoft Office SMB Information Disclosure Full report: *https://blogs.securiteam.com/index.php/archives/3463 <https://blogs.securiteam.com/index.php/archives/3463>* Twitter: @SecuriTeam_SSD Weibo: SecuriTeam_SSD *Vulnerability Summary* The following advisory describes an information disclosure found in Microsoft Office versions 2010, 2013, and 2016. Microsoft Office is: “Whether you’re working or playing, Microsoft is here to help. We’re the company that created Microsoft Office, including Office 365 Home, Office 365 Personal, Office Home & Student 2016, Office Home & Business 2016, and Office Professional 2016. You can also get Office for Mac. Whatever your needs—whether professional or simply for fun—we’ve got you covered. The powerful software in Microsoft Office 2013 remains in Microsoft Office 2016.” *Credit* An independent security researcher, Björn Ruytenberg, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. *Vendor response* Microsoft was informed of the vulnerability, to which they response with: “Upon investigation, we have determined that this submission does not meet the bar for security servicing. Unfortunately images are commonly used in emails and other locations that are sourced from external sites, those sites can use that request for basic tracking information. Your report about SMBTrap is also a well documented publicly disclosed item and would not meet the bar. In addition the PoC requires a user to disable their security, specifically the Protected View, stating that they trust the source. As such, this email thread has been closed and will no longer be monitored.” -- Thanks Maor Shwartz Beyond Security GPG Key ID: 93CC36E2DE7FF514
Attachment:
SSD Advisory – Microsoft Office SMB Information Disclosure – SecuriTeam Blogs.pdf
Description:
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- SSD Advisory – Microsoft Office SMB Information Disclosure Maor Shwartz (Oct 17)