Описание
Microsoft Office Remote Code Execution Vulnerability
A remote code execution vulnerability exists when Microsoft Office improperly validates input before loading dynamic link library (DLL) files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
To exploit the vulnerability, an attacker must first convince a user to open a specially crafted Office document.
The updates address the vulnerability by correcting how Office validates input before loading DLL files.
FAQ
Does this update contain any additional security-related changes to functionality? Yes. In addition to the security updates that address the vulnerabilities described in this bulletin, Microsoft is releasing a security enhancement for Microsoft OneNote. After installing the updates listed in the following table, when users click a hyperlink in OneNote, they will be prompted to confirm whether they want to navigate to the selected URL.
| Affected Software | Updates Replaced |
|---|---|
| Microsoft Office OneNote 2016 32-bit edition (3114862) | 2920726 in MS15-116 |
| Microsoft Office OneNote 2016 64-bit edition (3114862) | 2920726 in MS15-116 |
I have Microsoft Word 2010 installed. Why am I not being offered the 3115198 update? The 3115198 update only applies to systems running specific configurations of Microsoft Office 2010. Some configurations will not be offered the update.
I am being offered this update for software that is not specifically indicated as being affected in the Affected Products table. Why am I being offered this update? When updates address vulnerable code that exists in a component that is shared between multiple Microsoft Office products or shared between multiple versions of the same Microsoft Office product, the update is considered to be applicable to all supported products and versions that contain the vulnerable component.
For example, when an update applies to Microsoft Office 2007 products, only Microsoft Office 2007 may be specifically listed in the Affected Software table. However, the update could apply to Microsoft Word 2007, Microsoft Excel 2007, Microsoft Visio 2007, Microsoft Compatibility Pack, Microsoft Excel Viewer, or any other Microsoft Office 2007 product that is not specifically listed in the Affected Software table. Furthermore, when an update applies to Microsoft Office 2010 products, only Microsoft Office 2010 may be specifically listed in the Affected Software table. However, the update could apply to Microsoft Word 2010, Microsoft Excel 2010, Microsoft Visio 2010, Microsoft Visio Viewer, or any other Microsoft Office 2010 product that is not specifically listed in the Affected Software table. For more information on this behavior and recommended actions, see Microsoft Knowledge Base Article 830335. For a list of Microsoft Office products that an update may apply to, refer to the Microsoft Knowledge Base Article associated with the specific update.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Microsoft Visio Viewer 2010 (32-bit Edition) | ||
| Microsoft Visio 2007 Service Pack 3 | ||
| Microsoft Visio Viewer 2010 (64-bit Edition) | ||
| Microsoft Visio 2010 Service Pack 2 (32-bit editions) | ||
| Microsoft Visio 2010 Service Pack 2 (64-bit editions) | ||
| Microsoft Visio 2013 Service Pack 1 (32-bit editions) | ||
| Microsoft Visio 2013 Service Pack 1 (64-bit editions) | ||
| Microsoft Visio 2016 (32-bit edition) | ||
| Microsoft Visio 2016 (64-bit edition) | ||
| Microsoft Visio Viewer 2007 Service Pack 3 |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
DOS
EPSS
Связанные уязвимости
Microsoft Visio 2007 SP3, Visio 2010 SP2, Visio 2013 SP1, Visio 2016, Visio Viewer 2007 SP3, and Visio Viewer 2010 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Microsoft Office OLE DLL Side Loading Vulnerability."
Microsoft Visio 2007 SP3, Visio 2010 SP2, Visio 2013 SP1, Visio 2016, Visio Viewer 2007 SP3, and Visio Viewer 2010 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Microsoft Office OLE DLL Side Loading Vulnerability."
Уязвимость графического редактора Microsoft Visio и средства просмотра и печати документов Microsoft Visio Viewer, позволяющая нарушителю повысить свои привилегии
EPSS