lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAnZqX_xPD7GJp082RfyLDMugYss8LOPXV-_vetPe4gnmpFa=w@mail.gmail.com>
Date: Sun, 15 Oct 2017 10:15:16 +0300
From: Maor Shwartz <maors@...ondsecurity.com>
To: fulldisclosure@...lists.org
Cc: SecuriTeam Secure Disclosure <ssd@...ondsecurity.com>
Subject: [FD] SSD Advisory – Microsoft Office SMB Information Disclosure

SSD Advisory – Microsoft Office SMB Information Disclosure

Full report: *https://blogs.securiteam.com/index.php/archives/3463
<https://blogs.securiteam.com/index.php/archives/3463>*
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD

*Vulnerability Summary*
The following advisory describes an information disclosure found in
Microsoft Office versions 2010, 2013, and 2016.

Microsoft Office is: “Whether you’re working or playing, Microsoft is here
to help. We’re the company that created Microsoft Office, including Office
365 Home, Office 365 Personal, Office Home & Student 2016, Office Home &
Business 2016, and Office Professional 2016. You can also get Office for
Mac. Whatever your needs—whether professional or simply for fun—we’ve got
you covered. The powerful software in Microsoft Office 2013 remains in
Microsoft Office 2016.”

*Credit*
An independent security researcher, Björn Ruytenberg, has reported this
vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

*Vendor response*
Microsoft was informed of the vulnerability, to which they response with:

“Upon investigation, we have determined that this submission does not meet
the bar for security servicing. Unfortunately images are commonly used in
emails and other locations that are sourced from external sites, those
sites can use that request for basic tracking information. Your report
about SMBTrap is also a well documented publicly disclosed item and would
not meet the bar. In addition the PoC requires a user to disable their
security, specifically the Protected View, stating that they trust the
source.

As such, this email thread has been closed and will no longer be monitored.”

--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 93CC36E2DE7FF514

Download attachment "SSD Advisory – Microsoft Office SMB Information Disclosure – SecuriTeam Blogs.pdf" of type "application/pdf" (88909 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ