Customers who have not enabled automatic updating need to check for updates from Microsoft Update and install this update manually. Customers who have automatic updating enabled and configured to check online for updates from Microsoft Update typically will not need to take any action because this security update will be downloaded and installed automatically. Recommendation. Customers can configure automatic updating to check online for updates from Microsoft Update by using the Microsoft Update service. This security update also addresses the vulnerability first described in Microsoft Security Advisory 2953095. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
The security update addresses the vulnerabilities by correcting the way that Microsoft Office software parses specially crafted files. For more information, see the subsection, Affected and Non-Affected Software, in this section.
This security update is also rated Critical for supported versions of Microsoft Word Viewer and Microsoft Office Compatibility Pack.
This security update is rated Critical for Microsoft Word 2003, Microsoft Word 2007, Microsoft Word 2010, Microsoft Word 2013, Microsoft Word 2013 RT, and for affected Microsoft Office services and Web Apps on supported editions of Microsoft SharePoint Server 2010, Microsoft SharePoint Server 2013, and Microsoft Web Apps Server 2013. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. The most severe of these vulnerabilities could allow remote code execution if a specially crafted file is opened or previewed in an affected version of Microsoft Office software. This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft Office.
Version: 1.0 General Information Executive Summary In this article Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660)