Remote code execution in Microsoft Outlook

Published: 2018-01-09 21:55:00 | Updated: 2018-01-09 22:08:17
Severity High
Patch available YES
Number of vulnerabilities 2
CVE ID CVE-2018-0791
CVE-2018-0793
CVSSv3 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CWE ID CWE-119
Exploitation vector Network
Public exploit Not available
Vulnerable software Microsoft Office
Microsoft Outlook
Vulnerable software versions Microsoft Office 2016
Microsoft Outlook 2016
Microsoft Outlook 2013
Microsoft Outlook 2010
Microsoft Outlook 2007
Microsoft Outlook 2013 RT Service Pack 1
Vendor URL Microsoft

Security Advisory

1) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists in Microsoft Office software due to improper handling of objects in memory. A remote attacker can trick the victim into opening a specially crafted file, trigger memory corruption and execute arbitrary code with system privileges.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Install update from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0791

2) Memory corruption

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists in Microsoft Office software due to improper handling of objects in memory. A remote attacker can trick the victim into opening a specially crafted file, trigger memory corruption and execute arbitrary code with system privileges.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Install update from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0793

Back to List