SynopsisAn application installed on the remote host is affected by multiple vulnerabilities.
DescriptionThe Microsoft Office application, Office Web Apps, or SharePoint Server installed on the remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities :
- Multiple remote code execution vulnerabilities exist in Microsoft Office software due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit these, by convincing a user to open a specially crafted document file, to execute arbitrary code in the context of the current user. (CVE-2017-0006, CVE-2017-0019, CVE-2017-0020, CVE-2017-0030, CVE-2017-0031, CVE-2017-0052, CVE-2017-0053)
- An information disclosure vulnerability exists in Microsoft Office due to improper disclosure of memory contents. An unauthenticated, remote attacker can exploit this to disclose sensitive system memory information by convincing a user to open a specially crafted document file. (CVE-2017-0027)
- A denial of service vulnerability exists in Microsoft Office that allows an unauthenticated, remote attacker to cause Office to stop responding by convincing a user to open a specially crafted document file.
- An out-of-bounds read error exists in Microsoft Office due to an uninitialized variable. A local attacker can exploit this to disclose memory contents by opening a specially crafted document file. (CVE-2017-0105)
- A cross-site scripting (XSS) vulnerability exists in Microsoft SharePoint Server due to improper validation of input before returning it to users. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2017-0107)
SolutionMicrosoft has released a set of patches for Microsoft Office 2007, 2010, 2013, and 2016; Microsoft Excel 2007, 2010, 2013, and 2016;
Microsoft Word 2007, 2010, 2013, and 2016; Microsoft Office Compatibility Pack; Microsoft Excel Viewer; Microsoft Word Viewer;
Microsoft SharePoint Server 2007, 2010, and 2013; Microsoft SharePoint Foundation 2013; and Microsoft Office Web Apps Server 2010 and 2013.