Main Vulnerability Database SB2013121003

SB2013121003 - ASLR bypass in Microsoft Office

Published: December 10, 2013 Updated: March 11, 2017

Security Bulletin ID SB2013121003

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) ASLR bypass (CVE-ID: CVE-2013-5057)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber

The vulnerability allows a remote attacker to bypass certain security restrictions.

The weakness exists due to improper implementation of Address Space Layout Randomization (ASLR) within HXDS Office shared component. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and bypass the ASLR security feature.

Successful exploitation of the vulnerability may result in attacker's access to the vulnerable system.

Note: the vulnerability was being actively exploited.

Remediation

Install update from vendor's website.

References

https://technet.microsoft.com/en-us/library/security/ms13-106.aspx