MS16-070: Security Update for Microsoft Office (3163610)
High Nessus Plugin ID 91611
SynopsisAn application installed on the remote Windows host is affected by multiple vulnerabilities.
DescriptionThe remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities in Microsoft Office :
- Multiple remote code execution vulnerabilities exist due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit these by convincing a user to open a specially crafted file or visit a website that hosts such a file, resulting in the execution of arbitrary code in the context of the user.
- A flaw exists due to improper disclosure of memory contents. An unauthenticated, remote attacker can exploit this by convincing a user to open a specially crafted file, resulting in the disclosure of potentially sensitive information. (CVE-2016-3234)
- A flaw exists due to improper validation of input before loading OLE library files. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code. (CVE-2016-3235)
SolutionMicrosoft has released a set of patches for Microsoft Office 2007, 2010, 2013, 2013 RT, and 2016; Microsoft Word 2007, 2010, 2013, 2013 RT, and 2016; Microsoft Excel 2007 and 2010; Microsoft Visio 2007, 2010, 2013, and 2016; Visio Viewer 2007 and 2010; Word Viewer;
Microsoft Office Compatibility Pack; Office Web Apps 2010 and 2013;
Microsoft SharePoint Server 2010 and 2013; and Office Online Server.