Multiple vulnerabilities in Microsoft Excel

Published: 2018-06-12 22:06:31
Severity High
Patch available YES
Number of vulnerabilities 2
CVE ID CVE-2018-8248
CVE-2018-8246
CVSSv3 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
3 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-119
CWE-125
Exploitation vector Network
Public exploit N/A
Vulnerable software Microsoft Office
Microsoft Excel
Microsoft Office Compatibility Pack
Vulnerable software versions Microsoft Office 2013 RT
Microsoft Office 2010 Service Pack 2
Microsoft Office 2013
Microsoft Office 2016
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel Viewer
Microsoft Excel 2010
Microsoft Excel 2013
Microsoft Excel 2016
Microsoft Office Compatibility Pack Service Pack 3
Vendor URL Microsoft

Security Advisory

1) Buffer overflow

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error when processing Excel files. A remote unauthenticated attacker can create a specially crafted Excel file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8248

2) Out-of-bounds read

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to out-of-bounds read error when processing Excel document. A remote unauthenticated attacker can create a specially crafted Excel file, trick the victim into opening it and gain access to sensitive information stored in memory.

Remediation

Install updates from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8246

Back to List