Описание
Microsoft Office Elevation of Privilege Vulnerability
Deserialization of untrusted data in Microsoft Office allows an unauthorized attacker to elevate privileges locally.
FAQ
What privileges could be gained by an attacker who successfully exploited this vulnerability?
An attacker can successfully exploit this vulnerability by escaping the Protected View sandbox and running code at Standard User privileges.
According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
An attacker must send the user a malicious file and convince them to open it.
Is the Preview Pane an attack vector for this vulnerability?
No, the Preview Pane is not an attack vector.
According to the CVSS metric, the attack vector is local (AV:L). How could an attacker exploit this elevation of privilege vulnerability?
This attack involves a compromised Protected View Sandbox sending crafted messages to its trusted user process. This causes the user process to execute arbitrary code originating from the sandbox at higher privileges.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Microsoft Office 2016 (32-bit edition) | ||
| Microsoft Office 2016 (64-bit edition) | ||
| Microsoft Office 2019 for 32-bit editions | - | |
| Microsoft Office 2019 for 64-bit editions | - | |
| Microsoft 365 Apps for Enterprise for 32-bit Systems | - | |
| Microsoft 365 Apps for Enterprise for 64-bit Systems | - | |
| Microsoft Office LTSC 2021 for 64-bit editions | - | |
| Microsoft Office LTSC 2021 for 32-bit editions | - | |
| Microsoft Office LTSC 2024 for 32-bit editions | - | |
| Microsoft Office LTSC 2024 for 64-bit editions | - |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
DOS
EPSS
7.8 High
CVSS3
Связанные уязвимости
Deserialization of untrusted data in Microsoft Office allows an unauthorized attacker to elevate privileges locally.
Deserialization of untrusted data in Microsoft Office allows an unauthorized attacker to elevate privileges locally.
Уязвимость пакета программ Microsoft Office, связанная с недостатками механизма десериализации, позволяющая нарушителю повысить свои привилегии
EPSS
7.8 High
CVSS3