Microsoft Security Bulletin MS13-075 - Important
Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2878687)
Published: September 10, 2013 | Updated: December 18, 2013
This security update resolves a privately reported vulnerability in Microsoft Office IME (Chinese). The vulnerability could allow elevation of privilege if a logged on attacker launches Internet Explorer from the toolbar in Microsoft Pinyin IME for Simplified Chinese. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. Only implementations of Microsoft Pinyin IME 2010 are affected by this vulnerability. Other versions of Simplified Chinese IME and other implementations of IME are not affected.
This security update is rated Important for all supported editions of Microsoft Office 2010 where Microsoft Pinyin IME 2010 is installed. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerability by correcting the manner in which the Microsoft Office IME (Chinese) exposes configuration options not designed to run on the secure desktop. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Customers can configure automatic updating to check online for updates from Microsoft Update by using the Microsoft Update service. Customers who have automatic updating enabled and configured to check online for updates from Microsoft Update typically will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates from Microsoft Update and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.
For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service.
See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.
Knowledge Base Article
|Knowledge Base Article||2878687|
Affected and Non-Affected Software
The following software has been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.
|Microsoft Office Suite and Other Software||Component||Maximum Security Impact||Aggregate Severity Rating||Bulletins Replaced by this Update|
|Microsoft Office Suites and Components|
|Microsoft Office 2010 Service Pack 1 (32-bit editions)||[Microsoft Pinyin IME 2010 (32-bit version)](http://www.microsoft.com/downloads/details.aspx?familyid=f3faa8f8-fbcd-4681-b5d5-ee18fa2ab4f2) (2687413)||Elevation of Privilege||Important||None|
|Microsoft Office 2010 Service Pack 1 (64-bit editions)||[Microsoft Pinyin IME 2010 (64-bit version)](http://www.microsoft.com/downloads/details.aspx?familyid=b5ab63d0-1898-4586-8704-526991f7d3a6) (2687413)||Elevation of Privilege||Important||None|
|Office and Other Software|
|Microsoft Office 2007 Service Pack 3|
|Microsoft Office 2010 Service Pack 2 (32-bit editions)|
|Microsoft Office 2010 Service Pack 2 (64-bit editions)|
|Microsoft Office 2013 (32-bit editions)|
|Microsoft Office 2013 (64-bit editions)|
|Microsoft Office 2013 RT|
What is an Input Method Editor (IME)?
Input Method Editors (IMEs) help solve an issue associated with entering information in certain languages via a keyboard. Languages like Chinese and Japanese contain thousands of different characters, and it isn't feasible to build a keyboard that includes all of them. IMEs allow the characters to be built using a standard 101-key keyboard, by specifying the strokes that compose each character.
An IME consists of an engine that converts keystrokes into phonetic and ideographic characters and a dictionary of commonly-used ideographic words. As the user enters keystrokes via the keyboard, the IME identifies the keystrokes and converts them into characters.
What is Microsoft Pinyin IME 2010?
Microsoft Pinyin IME 2010 is a Microsoft Pinyin (MSPY) Input Method Editor (IME) for Simplified Chinese. Microsoft Pinyin IME 2010 is installed with Chinese versions of Microsoft Office 2010 by default and is also available as an optional component in English and other language versions of Microsoft office 2010.
I have an IME installed, but I do not have Microsoft Pinyin IME 2010 installed. Why am I being offered this update?
Only implementations of Microsoft Pinyin IME 2010 are affected by the vulnerability. Other implementations of IME are not vulnerable. However, this update may be offered to systems with a non-vulnerable IME, such as as other Chinese IMEs, Japanese IME, or Korean IME.
Although this update may be available for the non-vulnerable IME, users who choose not to apply this update will not increase the security risk for their system. However, Microsoft recommends that users install all updates offered to their systems. This helps to maintain consistency for shared files across Office products. In some cases, an update to non-vulnerable software detects that the files on your system are already up-to-date and as a result, the update does not need to install files.
I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin has been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, see the Microsoft Support Lifecycle website.
It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Service Pack Lifecycle Support Policy.
Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, see the Microsoft Worldwide Information website, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the September bulletin summary. For more information, see Microsoft Exploitability Index.
|Affected Software||Chinese IME Vulnerability – CVE-2013-3859||Aggregate Severity Rating|
|Microsoft Office 2010 Service Pack 1 (32-bit editions) with Microsoft Pinyin IME 2010 (32-bit version)||Important
Elevation of Privilege
|Microsoft Office 2010 Service Pack 1 (64-bit editions) with Microsoft Pinyin IME 2010 (64-bit version)||Important
Elevation of Privilege
|Security update file name||For Microsoft Office 2010 Service Pack 1 (32-bit editions) with Microsoft Pinyin IME 2010 (32-bit version):
|For Microsoft Office 2010 Service Pack 1 (64-bit editions) with Microsoft Pinyin IME 2010 (64-bit version):
|Installation switches||See Microsoft Knowledge Base Article 912203|
|Restart requirement||In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
|Removal information||Use Add or Remove Programs item in Control Panel.|
|File information||See Microsoft Knowledge Base Article 2687413|
|Registry key verification||Not applicable|