Vulnerability identifier: #VU295
Vulnerability risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-119
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Microsoft Office
Client/Desktop applications /
Office applications
Microsoft OneNote
Client/Desktop applications /
Office applications
Microsoft Office for Mac
Client/Desktop applications /
Office applications
Vendor:
Microsoft
Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to out-of-bound read when handling objects in memory. A remote attacker can create a specially crafted OneNote file and convince a victim to open it.
Successful exploitation of this vulnerability my allow an attacker to obtain potentially sensitive information but requires knowledge of the specific location of OneNote objects in memory.
Vulnerable software versions
: 2007, 2010, 2013 - 2013 RT
Microsoft OneNote:
Microsoft Office for Mac: 2016
External links
http://technet.microsoft.com/en-us/library/security/ms16-099.aspx
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.