MS14-023  Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

2014-05-13 This security update resolves two privately reported vulnerabilities in Microsoft Office. The most severe vulnerability could allow remote code execution if a user opens an Office file that is located in the same network directory as a specially crafted library file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Vulnerabilities addressed in this bulletin:

Microsoft Office Chinese Grammar Checking Vulnerability

A remote code execution vulnerability exists in the way that affected Microsoft Office software handles the loading of dynamic-link library (.dll) files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
CVE-2014-1756

Token Reuse Vulnerability

An information disclosure vulnerability exists when affected Microsoft Office software does not properly handle a specially crafted response while attempting to open an Office file hosted on the malicious website. An attacker who successfully exploited this vulnerability could ascertain access tokens used to authenticate the current user on a targeted Microsoft online service.
CVE-2014-1808

Bulletin details at Microsoft.com