MS16-015: Security Update for Microsoft Office to Address Remote Code Execution (3134226)
High Nessus Plugin ID 88647
SynopsisThe remote Windows host is affected by multiple vulnerabilities.
DescriptionThe remote Windows host has a version of Microsoft Office, Word, Word Viewer, Excel, Excel Viewer, SharePoint, Microsoft Office Compatibility Pack, or Office Web Apps installed that is affected by multiple vulnerabilities :
- Multiple remote code execution vulnerabilities exist due to improper handling of objects in memory. A remote attacker can exploit these vulnerabilities by convincing a user to open a specially crafted file in Microsoft Office, resulting in the execution of arbitrary code in the context of the current user. (CVE-2016-0022, CVE-2016-0052, CVE-2016-0053, CVE-2016-0054, CVE-2016-0055, CVE-2015-0056)
- A cross-site scripting vulnerability exists in SharePoint due to improper sanitization of specially crafted web requests. An authenticated, remote attacker can exploit this, via a specially crafted web request, to execute arbitrary script code in a user's browser session. (CVE-2016-0039)
SolutionMicrosoft has released a set of patches for Office 2007, 2010, 2013, 2013 RT, and 2016; Word, Word Viewer, Excel, Excel Viewer; SharePoint Server 2007, 2010, and 2013; SharePoint Foundation 2013, Microsoft Office Compatibility Pack, and Office Web Apps.