Vulnerability identifier: #VU295

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-3315

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Microsoft Office
Client/Desktop applications / Office applications
Microsoft OneNote
Client/Desktop applications / Office applications
Microsoft Office for Mac
Client/Desktop applications / Office applications

Vendor: Microsoft

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to out-of-bound read when handling objects in memory. A remote attacker can create a specially crafted OneNote file and convince a victim to open it.

Successful exploitation of this vulnerability my allow an attacker to obtain potentially sensitive information but requires knowledge of the specific location of OneNote objects in memory.

Vulnerable software versions

: 2007, 2010, 2013 - 2013 RT

Microsoft OneNote:

Microsoft Office for Mac: 2016

---

External links
http://technet.microsoft.com/en-us/library/security/ms16-099.aspx

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.