Visio Viewer 2013
Microsoft Visio 2013 Viewer. Found 9 file extension associations related to Microsoft Visio 2013 Viewer and 2 file formats developed specifically for use with Microsoft Visio 2013 Viewer. Platform, operating system: Microsoft Windows. Go to: Microsoft Visio 2013 Viewer description. Microsoft Visio 2013 Viewer website. Developer: Microsoft. Visio 2013 Visio 2013 follows the Fixed Lifecycle Policy. This applies to the following editions: Professional, Standard. Listing Start Date Mainstream End Date Extended End Date; Visio 2013:::: Releases. Version Start Date End Date; Service Pack 1::: Original Release.
Findings (MAC III - Administrative Sensitive)
| Finding ID | Severity | Title | Description |
|---|---|---|---|
| V-40741 | Medium | ActiveX installs must be configured for proper restrictions. | Microsoft ActiveX controls allow unmanaged, unprotected code to run on the user computers. ActiveX controls do not run within a protected container in the browser like the other types of HTML or ... |
| V-40740 | Medium | Protection from zone elevation must be enforced. | Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine ... |
| V-40742 | Medium | Warning Bar settings for VBA macros must be configured. | When users open files containing VBA Macros, applications open the files with the macros disabled and displays the Trust Bar with a warning that macros are present and have been disabled. Users ... |
| V-40734 | Medium | Scripted Window Security must be enforced. | Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computers in some manner. Disabling or not ... |
| V-40735 | Medium | Add-on Management functionality must be allowed. | Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring ... |
| V-40736 | Medium | Add-ins to Office applications must be signed by a Trusted Publisher. | Office 2013 applications do not check the digital signature on application add-ins before opening them. Disabling or not configuring this setting may allow an application to load a dangerous ... |
| V-40737 | Medium | Links that invoke instances of IE from within an Office product must be blocked. | The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of ... |
| V-40730 | Medium | Disabling of user name and password syntax from being used in URLs must be enforced. | The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to ... |
| V-40731 | Medium | The Internet Explorer Bind to Object functionality must be enabled. | Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the ... |
| V-40732 | Medium | The Saved from URL mark must be selected to enforce Internet zone processing. | Typically, when Internet Explorer loads a web page from a Universal Naming Convention (UNC) share that contains a Mark of the Web (MOTW) comment, indicating the page was saved from a site on the ... |
| V-40733 | Medium | Navigation to URLs embedded in Office products must be blocked. | To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by ... |
| V-40738 | Medium | Trust Bar Notifications for unsigned applications must be disabled. | If an application is configured to require all add-ins to be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust ... |
| V-40739 | Medium | File downloads must be configured for proper restrictions. | Disabling this setting allows websites to present file download prompts via code without the user specifically initiating the download. User preferences may also allow the download to occur ... |
Security Bulletin
Vulnerability in Microsoft Visio Could Allow Information Disclosure (2834692)
Published: May 14, 2013 | Updated: May 23, 2013
Version: 1.1
General Information
Executive Summary
This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow information disclosure if a user opens a specially crafted Visio file. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise an affected system.
This security update is rated Important for all supported editions of Microsoft Visio 2003, Microsoft Visio 2007, and Microsoft Visio 2010. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerability by correcting the manner in which the XML parser used by Visio resolves external entities within a specially crafted file. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Customers can configure automatic updating to check online for updates from Microsoft Update by using the Microsoft Update service. Customers who have automatic updating enabled and configured to check online for updates from Microsoft Update typically will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates from Microsoft Update and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.
For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service.
See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.
Knowledge Base Article
| Knowledge Base Article | 2834692 |
|---|---|
| File information | Yes |
| SHA1/SHA2 hashes | Yes |
| Known issues | Yes |
Affected and Non-Affected Software
The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.
Affected Software
| Office Software | Maximum Security Impact | Aggregate Severity Rating | Updates Replaced |
|---|---|---|---|
| Microsoft Visio 2003 Service Pack 3 (2810062) | Information Disclosure | Important | 2553009 in MS11-060 |
| Microsoft Visio 2007 Service Pack 3 (2596595) | Information Disclosure | Important | None |
| Microsoft Visio 2010 Service Pack 1 (32-bit editions) (2810068) | Information Disclosure | Important | 2760762 in MS13-023 |
| Microsoft Visio 2010 Service Pack 1 (64-bit editions) (2810068) | Information Disclosure | Important | 2760762 in MS13-023 |
Non-Affected Software
| Office and Other Software |
|---|
| Microsoft Visio 2013 |
| Microsoft Office 2007 Filter Pack Service Pack 3 |
| Microsoft Office 2010 Filter Pack Service Pack 1 (32-bit version) |
| Microsoft Office 2010 Filter Pack Service Pack 1 (64-bit version) |
| Microsoft Visio Viewer 2010 Service Pack 1 (32-bit Edition) |
| Microsoft Visio Viewer 2010 Service Pack 1 (64-bit Edition) |
| Microsoft Visio Viewer 2013 (32-bit Edition) |
| Microsoft Visio Viewer 2013 (64-bit Edition) |
Update FAQ
I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, see the Microsoft Support Lifecycle website.
It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Service Pack Lifecycle Support Policy.
Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, see the Microsoft Worldwide Information website, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.
Vulnerability Information
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the May bulletin summary. For more information, see Microsoft Exploitability Index.
| Affected Software | XML External Entities Resolution Vulnerability - CVE-2013-1301 | Aggregate Severity Rating |
|---|---|---|
| Microsoft Visio 2003 Service Pack 3 | Important Information Disclosure | Important |
| Microsoft Visio 2007 Service Pack 3 | Important Information Disclosure | Important |
| Microsoft Visio 2010 Service Pack 1 (32-bit editions) | Important Information Disclosure | Important |
| Microsoft Visio 2010 Service Pack 1 (64-bit editions) | Important Information Disclosure | Important |
XML External Entities Resolution Vulnerability - CVE-2013-1301
An information disclosure vulnerability exists in the way that Microsoft Visio parses specially crafted XML files containing external entities.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2013-1301.
Mitigating Factors
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
- The vulnerability cannot be exploited automatically through email. For an attack to be successful, a user must open an attachment that is sent in an email message.
- In a web-based attack scenario, an attacker could host a website that contains a specially crafted Visio file that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website, and convince them to open the specially crafted Visio file.
Workarounds
Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:
- Do not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources
Do not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.
FAQ
What is the scope of the vulnerability?
This is an information disclosure vulnerability. An attacker who successfully exploited this vulnerability could read data from a file located on the target system. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system.
What causes the vulnerability?
The vulnerability is caused when Microsoft Visio improperly handles XML external entities that are resolved within other XML external entity declarations.
What is an XML External Entity?
An XML document may consist of one or many storage units. These are called entities. They all have content and are all identified by entity name. External entities allow an XML document to refer to an external file. External entities contain either text or binary data. If they contain text, the content of the external file is inserted at the point of reference and parsed as part of the referring document.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability would be able to read data from files on the target system. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system.
How could an attacker exploit the vulnerability?
For an attacker to exploit this vulnerability, a user would need to open a specially crafted file with an affected version of Microsoft Visio.
In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted Visio file to the user and by convincing the user to open the file.
In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted Visio file that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link that takes them to the attacker's site, and then convince them to open the specially crafted Visio file.
What systems are primarily at risk from the vulnerability?
This vulnerability requires that a user open a specially crafted file with an affected application for any malicious action to occur. Therefore, any systems where Visio files are frequently viewed, such as workstations or terminal servers, are at the most risk from this vulnerability.
What does the update do?
The update addresses the vulnerability by correcting the manner in which the XML parser used by Visio resolves external entities within a specially crafted file.
Visio Viewer Xp
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.
Update Information
Detection and Deployment Tools and Guidance
Visio Viewer 2013 Download
Several resources are available to help administrators deploy security updates.
- Microsoft Baseline Security Analyzer (MBSA) lets administrators scan local and remote systems for missing security updates and common security misconfigurations.
- Windows Server Update Services (WSUS), Systems Management Server (SMS), and System Center Configuration Manager (SCCM) help administrators distribute security updates.
- The Update Compatibility Evaluator components included with Application Compatibility Toolkit aid in streamlining the testing and validation of Windows updates against installed applications.
For more information about these tools and guidance in deploying security updates across networks, see Security Tools for IT Pros.
Security Update Deployment
Affected Software
For information about the specific security update for your affected software, click the appropriate link:
Visio 2003 (all editions)
Reference Table
The following table contains the security update information for this software.
| Security update file name | For Visio 2003: visio2003-kb2810062-fullfile-enu.exe |
| Installation switches | See Microsoft Knowledge Base Article 912203 |
| Restart requirement | In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012. |
| Removal information | Use Add or Remove Programs item in Control Panel. Note When you remove this update, you may be prompted to insert the Microsoft Office 2003 CD in the CD drive. Additionally, you may not have the option to uninstall the update from the Add or Remove Programs item in Control Panel. There are several possible causes for this issue. For more information about the removal, see Microsoft Knowledge Base Article 903771. |
| File information | See Microsoft Knowledge Base Article 2810062 |
| Registry keyverification | Not applicable |
| Security update file name | For Visio 2007: visio2007-kb2596595-fullfile-x86-glb.exe |
| Installation switches | See Microsoft Knowledge Base Article 912203 |
| Restartrequirement | In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012. |
| Removalinformation | Use Add or Remove Programs item in Control Panel. |
| Fileinformation | See Microsoft Knowledge Base Article 2596595 |
| Registry key verification | Not applicable |
| Security update file name | For Visio 2010 (32-bit editions): visio2010-kb2810068-fullfile-x86-glb.exe |
| For Visio 2010 (64-bit editions): visio2010-kb2810068-fullfile-x64-glb.exe | |
| Installation switches | See Microsoft Knowledge Base Article 912203 |
| Restartrequirement | In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012. |
| Removalinformation | Use Add or Remove Programs item in Control Panel. |
| Fileinformation | See Microsoft Knowledge Base Article 2810068 |
| Registry key verification | Not applicable |