SB2013121001 - Information disclosure in Microsoft Office
Published: December 10, 2013 Updated: March 11, 2017
Security Bulletin ID
SB2013121001
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2013-5054)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to an error in handling of a specially crafted response when opening a malicious Office file. A remote attacker can create a specially crafted file using, host it on remote website, trick the victim into opening it and gain access to tokens used to authenticate the current user on a targeted SharePoint or other Microsoft Office server site.
Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.
Note: the vulnerability was being actively exploited.
Remediation
Install update from vendor's website.