Vulnerability identifier: #VU132
Vulnerability risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Microsoft Office
Client/Desktop applications /
Office applications
Microsoft Excel
Client/Desktop applications /
Office applications
Microsoft PowerPoint
Client/Desktop applications /
Office applications
Microsoft Word
Client/Desktop applications /
Office applications
Microsoft Office Web Apps
Client/Desktop applications /
Office applications
Word Automation Services on Microsoft SharePoint Server
Server applications /
Other server solutions
Vendor: Microsoft
Description
A remote attacker can bypass certain security restrictions.
The vulnerability exists due to an error when parsing file formats. A remote attacker can bypass certain security restrictions.
Successful exploitation of this vulnerability may allow an attacker to bypass certain security features, implemented in Microsoft Office products, and take advantage of other vulnerabilities.
Mitigation
To resolve this vulnerability vendor recommends installing the following updates:
Microsoft Office 2010
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Excel 2010 Service Pack 2 (64-bit editions)
Microsoft PowerPoint 2010 Service Pack 2 (32-bit editions)
Microsoft PowerPoint 2010 Service Pack 2 (64-bit editions)
Microsoft Word 2010 Service Pack 2 (32-bit editions)
Microsoft Word 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft PowerPoint 2013 Service Pack 1 (32-bit editions)
Microsoft PowerPoint 2013 Service Pack 1 (64-bit editions)
Microsoft Word 2013 Service Pack 1 (32-bit editions)
Microsoft Word 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2013 RT
Use Windows Update to obtain the patch.
Microsoft Office 2016
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Word 2016 (32-bit edition)
Microsoft Word 2016 (64-bit edition)
SharePoint Software
Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 2
Microsoft Office Web Apps 2010 Service Pack 2
Vulnerable software versions
Microsoft Office: 2010 - 2010 Service Pack 2, 2013 - 2013 RT
Microsoft Excel:
Microsoft PowerPoint:
Microsoft Word:
Word Automation Services on Microsoft SharePoint Server: 2010 Service Pack 2
Microsoft Office Web Apps: 2010 Service Pack 2
External links
http://technet.microsoft.com/en-us/library/security/MS16-088
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.