Information disclosure in Microsoft Office

Published: 2018-08-14
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-8378
CWE ID CWE-125
Exploitation vector Network
Public exploit N/A
Vulnerable software Microsoft Office Subscribe
Microsoft Word
Microsoft SharePoint Server
Word Automation Services on Microsoft SharePoint Server
Microsoft Office Web Apps
Microsoft Excel
Vendor Microsoft

Security Advisory

This security advisory describes one low risk vulnerability.

1) Out-of-bounds read

Severity: Low

CVSSv3: 4.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-8378

CWE-ID: CWE-125 - Out-of-bounds Read

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to out-of-bounds read error when processing Microsoft Office documents. A remote unauthenticated attacker can create a specially crafted Office document, trick the victim into opening it, trigger out-of-bounds read and gain access to contents of memory.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Office: 2010 Service Pack 2, 2013, 2013 RT, 2016

Microsoft Word: Viewer

Microsoft SharePoint Server: 2013, 2016

Word Automation Services on Microsoft SharePoint Server: 2010 Service Pack 2

Microsoft Office Web Apps: 2010 Service Pack 2, 2013 Service Pack 1

Microsoft Excel: Viewer 2007 Service Pack 3

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8378

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open an attachment in an e-mail message.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.