Security Update for Microsoft Office (June 2017) (macOS)

2017-06-13T00:00:00
ID MACOSX_MS17_JUNE_OFFICE.NASL
Type nessus
Reporter Tenable
Modified 2018-08-29T00:00:00

Description

The Microsoft Office application installed on the remote macOS or Mac OS X host is missing a security update. It is, therefore, affected by multiple remote code execution vulnerabilities in Microsoft Office due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit these vulnerabilities, by convincing a user to open a specially crafted Office document, to execute arbitrary code in the context of the current user.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(100758);
  script_version("1.8");
  script_cvs_date("Date: 2018/08/29 17:01:11");

  script_cve_id("CVE-2017-8509", "CVE-2017-8511", "CVE-2017-8545");
  script_bugtraq_id(98812, 98815, 98917);
  script_xref(name:"MSKB", value:"3212223");
  script_xref(name:"MSFT", value:"MS17-3212223");
  script_xref(name:"IAVA", value:"2017-A-0179");

  script_name(english:"Security Update for Microsoft Office (June 2017) (macOS)");
  script_summary(english:"Checks the version of Microsoft Office.");

  script_set_attribute(attribute:"synopsis", value:
"An application installed on the remote macOS or Mac OS X host is
affected by multiple remote code execution vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The Microsoft Office application installed on the remote macOS or Mac
OS X host is missing a security update. It is, therefore, affected by
multiple remote code execution vulnerabilities in Microsoft Office due
to improper handling of objects in memory. An unauthenticated, remote
attacker can exploit these vulnerabilities, by convincing a user to
open a specially crafted Office document, to execute arbitrary code in
the context of the current user.");
  # https://support.microsoft.com/en-us/help/3212223/description-of-the-security-update-for-office-for-mac-2011-14-7-5-june
  script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?8fbc6de6");
  # https://support.office.com/en-us/article/Release-notes-for-Office-2016-for-Mac-ed2da564-6d53-4542-9954-7e3209681a41
  script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?68489292");
  # https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8509
  script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?069ce460");
  # https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8511
  script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?b685de7b");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released patches for Microsoft Office for Mac 2011 and
Microsoft Office 2016 for Mac.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/06/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/13");

  script_set_attribute(attribute:"plugin_type",value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:word_for_mac");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:outlook");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:powerpoint");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macosx_office_installed.nbin");
  script_require_keys("Host/MacOSX/Version");
  script_require_ports(
    "installed_sw/Office for Mac 2011",
    "installed_sw/Microsoft Outlook",
    "installed_sw/Microsoft Word",
    "installed_sw/Microsoft PowerPoint"
  );

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");

os = get_kb_item("Host/MacOSX/Version");
if (!os) audit(AUDIT_OS_NOT, "Mac OS X");

# Office 2011
apps = make_list(
  "Office for Mac 2011",
  "Microsoft Word",
  "Microsoft PowerPoint"
);

report = "";

foreach app (apps)
{
  installs = get_installs(app_name:app);
  if (isnull(installs[1])) continue;
  foreach install (installs[1])
  {
    version = install['version'];
    path    = install['path'];
    app_label = app;
    app_lower = tolower(app);
    fix = NULL;
    fix_disp = NULL;

    # only word and powerpoint are affected
    if (app_lower !~ "word" && app_lower !~ "powerpoint") continue;

    if (version =~ "^14\.")
    {
      if (app !~ " for Mac 2011$") app_label += " for Mac 2011";
      fix = '14.7.5';
    }
    else
    {
      if (version =~ "^15\.") app_label += " for Mac 2016";
      fix = '15.35.0';
      fix_disp = '15.35 (17061000)';
    }

    if (fix && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
    {
      report +=
        '\n  Product           : ' + app_label +
        '\n  Installed version : ' + version;

      if (!empty_or_null(fix_disp))
      {
        report += '\n  Fixed version     : ' + fix_disp;
        fix_disp = '';
      }
      else report += '\n  Fixed version     : ' + fix;

      os = get_kb_item("Host/MacOSX/Version");

      if (os =~ "^Mac OS X 10\.[0-9](\.|$)" && app_label =~ " for Mac 2016$")
        report += '\n  Note              : Update will require Mac OS X 10.10.0 or later.\n';
      else report += '\n';
    }
  }
}

# Report findings.
if (!empty(report))
  security_report_v4(severity:SECURITY_HOLE, port:0, extra:report);
else
  audit(AUDIT_HOST_NOT, "affected");