#VU44107 Input validation error in Visio Viewer - CVE-2012-0018

Cybersecurity Help s.r.o.

Published: 2012-05-09 | Updated: 2020-08-11

Vulnerability identifier: #VU44107

Vulnerability risk: High

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2012-0018

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Visio Viewer
Client/Desktop applications / Office applications

Vendor: Microsoft

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Microsoft Visio Viewer 2010 Gold and SP1 does not properly validate attributes in Visio files, which allows remote attackers to execute arbitrary code via a crafted file, aka "VSD File Format Memory Corruption Vulnerability."

Mitigation
Install update from vendor's website.

Vulnerable software versions

Visio Viewer: 2010

External links
https://osvdb.org/81731
https://secunia.com/advisories/49113
https://www.securityfocus.com/bid/53328
https://www.securitytracker.com/id?1027042
https://www.us-cert.gov/cas/techalerts/TA12-129A.html
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-031
https://exchange.xforce.ibmcloud.com/vulnerabilities/75115
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15606

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Microsoft Visio Viewer