Vulnerability identifier: #VU1587
Vulnerability risk: High
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-126
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Microsoft Visio
Client/Desktop applications /
Office applications
Vendor:
Microsoft
Description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to buffer over-read in Microsoft Active Template Library (ATL). A remote attacker can create a specially crafted HTML document with an ATL component or control, trigger memory corruption and gain access to potentially sensitive data.
Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.
Mitigation
Install update from vendor's website:
Microsoft Outlook 2002 Service Pack 3:
https://www.microsoft.com/downloads/details.aspx?FamilyId=04878c2c-eb97-426f-be08-89036a6799db
http://go.microsoft.com/fwlink/?LinkId=112113
Microsoft Office Outlook 2003 Service Pack 3:
https://www.microsoft.com/downloads/details.aspx?FamilyId=79e2b2e8-d5e8-4014-b489-720af2b5083d
http://go.microsoft.com/fwlink/?LinkId=112113
Microsoft Office Outlook 2007 Service Pack 1 and Microsoft Office Outlook 2007 Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?FamilyId=d39234a3-c62c-44ba-a626-3179a183ca09
Microsoft Office Visio Viewer 2007 Service Pack 1 and Microsoft Office Visio Viewer 2007 Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?FamilyId=d20004c5-dd01-459e-8120-5f127e20c085
Vulnerable software versions
:
Microsoft Visio:
External links
http://technet.microsoft.com/en-us/library/security/ms09-060.aspx
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.