MS15-088: Unsafe Command Line Parameter Passing Could Allow Information Disclosure (3082458)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote Windows host is affected by an information disclosure
vulnerability.

Description :

The remote Windows host is affected by an information disclosure
vulnerability when files at a medium integrity level become accessible
to Internet Explorer running in Enhanced Protection Mode (EPM). An
attacker can exploit this vulnerability by leveraging another
vulnerability to execute code in IE with EPM, and then executing
Excel, Notepad, PowerPoint, Visio, or Word using an unsafe command
line parameter.

See also :

https://technet.microsoft.com/library/security/MS15-088

Solution :

Microsoft has released a set of patches for Windows Vista, 2008, 7,
2008 R2, 8, RT, 2012, 8.1, RT 8.1, 2012 R2, and 10.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 3.2
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Windows : Microsoft Bulletins

Nessus Plugin ID: 85334 ()

Bugtraq ID: 76202

CVE ID: CVE-2015-2423

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now