Описание
Office Developer Platform Security Feature Bypass Vulnerability
Use of a broken or risky cryptographic algorithm in Office Developer Platform allows an authorized attacker to bypass a security feature locally.
FAQ
According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?
To successfully exploit this vulnerability, an attacker would need to gain elevated privileges enabling them to perform file operations in directories they would not normally be able to access or perform.
According to the CVSS metric, the attack vector is local (AV:L), privileges are required (PR:L) and user interaction is required (UI:R). How could an attacker exploit this security feature bypass vulnerability?
The attack itself is carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer.
According to the CVSS metric, Confidentiality and Integrity are rated as Low and Availability is None (C:L, I:L, A:N). What does that mean for this vulnerability?
An attacker is only able to compromise files that they were allowed access to as part of their initial privilege but cannot affect the availability of the browser.
How could an attacker exploit this vulnerability?
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
Additionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.
What kind of security feature could be bypassed by successfully exploiting this vulnerability?
An attacker who successfully exploited this vulnerability could bypass the Office Visual Basic for Applications (VBA) signature scheme.
Is the Preview Pane an attack vector for this vulnerability?
No, the Preview Pane is not an attack vector.
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
DOS
EPSS
3.3 Low
CVSS3
Связанные уязвимости
Use of a broken or risky cryptographic algorithm in Office Developer Platform allows an authorized attacker to bypass a security feature locally.
Use of a broken or risky cryptographic algorithm in Office Developer Platform allows an authorized attacker to bypass a security feature locally.
Уязвимость пакета программ Microsoft 365 Apps for Enterprise, связанная с использованием криптографических алгоритмов, содержащих дефекты, позволяющая нарушителю обойти ограничения безопасности
EPSS
3.3 Low
CVSS3