MS14-069: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3009710)

This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.


Synopsis :

The remote host is affected by multiple vulnerabilities.

Description :

The remote Windows host has a version of Microsoft Office, Office
Compatibility Pack, or Microsoft Word Viewer that is affected by one
or more vulnerabilities :

- A double delete remote code execution vulnerability due
to Microsoft Word not properly handling objects in
memory while parsing specially crafted Office files. An
attacker can exploit this vulnerability by convincing or
tricking a user into opening a specially crafted file,
resulting in execution of arbitrary code in the context
of the current user. (CVE-2014-6333)

- A bad index remote code execution vulnerability due to
Microsoft Word not properly handling objects in memory
while parsing specially crafted Office files. An
attacker can exploit this vulnerability by convincing or
tricking a user into opening a specially crafted file,
resulting in execution of arbitrary code in the context
of the current user. (CVE-2014-6334)

- An invalid pointer remote code execution vulnerability
due to Microsoft Word not properly handling objects in
memory while parsing specially crafted Office files. An
attacker can exploit this vulnerability by convincing or
tricking a user into opening a specially crafted file,
resulting in execution of arbitrary code in the context
of the current user. (CVE-2014-6335)

See also :

https://technet.microsoft.com/library/security/ms14-069

Solution :

Microsoft has released a set of patches for Office 2007, Office
Compatibility Pack, and Microsoft Word Viewer.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: Windows : Microsoft Bulletins

Nessus Plugin ID: 79129 ()

Bugtraq ID: 70961
70962
70963

CVE ID: CVE-2014-6333
CVE-2014-6334
CVE-2014-6335

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now