The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Project

vulnerability alert CVE-2015-1759 CVE-2015-1760 CVE-2015-1770

Microsoft Office: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Office.
Impacted products: Office, Access, Excel, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 10/06/2015.
Identifiers: 3064949, CERTFR-2015-AVI-246, CVE-2015-1759, CVE-2015-1760, CVE-2015-1770, MS15-059, VIGILANCE-VUL-17091.

Description of the vulnerability

Three vulnerabilities were announced in Microsoft Office.

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1759]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1760]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1770]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2015-1682 CVE-2015-1683

Microsoft Office: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Office.
Impacted products: Office, Access, Office Communicator, Excel, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, MOSS, Visio, Word.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 12/05/2015.
Identifiers: 3057181, CERTFR-2015-AVI-211, CVE-2015-1682, CVE-2015-1683, MS15-046, VIGILANCE-VUL-16887, ZDI-15-182.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Office.

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1682, ZDI-15-182]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1683]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-1639 CVE-2015-1641 CVE-2015-1649

Microsoft Office: five vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Office.
Impacted products: Office, Access, Office Communicator, Excel, OneNote, Outlook, PowerPoint, Project, Publisher, MOSS, Visio, Word.
Severity: 3/4.
Consequences: user access/rights, client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 14/04/2015.
Identifiers: 3048019, CERTFR-2015-AVI-151, CVE-2015-1639, CVE-2015-1641, CVE-2015-1649, CVE-2015-1650, CVE-2015-1651, MS15-033, VIGILANCE-VUL-16596, ZDI-15-132.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Office.

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1641]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1649]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1650, ZDI-15-132]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1651]

An attacker can trigger a Cross Site Scripting in Microsoft Outlook App for Mac, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2015-1639]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-0085 CVE-2015-0086 CVE-2015-0097

Microsoft Office, SharePoint: five vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Office.
Impacted products: Office, Access, Excel, OneNote, Outlook, PowerPoint, Project, Publisher, MOSS, Visio, Word.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 10/03/2015.
Identifiers: 3038999, CERTFR-2015-AVI-098, CVE-2015-0085, CVE-2015-0086, CVE-2015-0097, CVE-2015-1633, CVE-2015-1636, MS15-022, VIGILANCE-VUL-16366, ZDI-15-088.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Office.

An attacker can force the usage of a freed memory area in Office, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-0085, ZDI-15-088]

An attacker can generate a memory corruption in Office, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-0086]

An attacker can generate a memory corruption in Office, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-0097]

An attacker can trigger a Cross Site Scripting in SharePoint, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2015-1633]

An attacker can trigger a Cross Site Scripting in SharePoint, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2015-1636]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2014-6362

Microsoft Office: bypassing ASLR

Synthesis of the vulnerability

An attacker can bypass ASLR via Microsoft Office, in order to ease the exploitation of another vulnerability.
Impacted products: Office, Access, Excel, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 10/02/2015.
Identifiers: 3033857, CERTFR-2015-AVI-064, CVE-2014-6362, MS15-013, VIGILANCE-VUL-16163.

Description of the vulnerability

Systems use ASLR in order to randomize memory addresses used by programs and libraries.

However, Microsoft Office allows an attacker to bypass this security feature.

An attacker can therefore bypass ASLR via Microsoft Office, in order to ease the exploitation of another vulnerability.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2015-0063 CVE-2015-0064 CVE-2015-0065

Microsoft Office: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Office.
Impacted products: Office, Access, Excel, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 10/02/2015.
Identifiers: 3032328, CERTFR-2015-AVI-063, CVE-2015-0063, CVE-2015-0064, CVE-2015-0065, MS15-012, VIGILANCE-VUL-16162.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Office.

An attacker can generate a memory corruption in Excel, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-0063]

An attacker can generate a memory corruption in Word, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-0064]

An attacker can generate a memory corruption in Word OneTableDocumentStream, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-0065]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2014-6364

Microsoft Office: use after free

Synthesis of the vulnerability

An attacker can force the usage of a freed memory area of Microsoft Office, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Office, Excel, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 09/12/2014.
Identifiers: 3017349, CERTFR-2014-AVI-520, CVE-2014-6364, MS14-082, VIGILANCE-VUL-15766.

Description of the vulnerability

The Microsoft Office suite converts documents to object located in memory.

However, a function frees a memory area before reusing it.

An attacker can therefore force the usage of a freed memory area of Microsoft Office, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2014-4077

Office 2007: privilege escalation via IME Japanese

Synthesis of the vulnerability

An attacker can use a vulnerability of the IME Japanese of Office 2007, in order to escalate his privileges.
Impacted products: Office, Access, Office Communicator, Excel, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: document.
Creation date: 12/11/2014.
Identifiers: 2992719, CERTFR-2014-AVI-476, CVE-2014-4077, MS14-078, VIGILANCE-VUL-15623.

Description of the vulnerability

The Office 2007 product can be configured with a Japanese IME (Input Method Editor), in order to enter Japanese characters.

However, a special file can be used to escape from the sandbox.

An attacker can therefore use a vulnerability of the IME Japanese of Office 2007, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2014-1817 CVE-2014-1818

Windows, Office, Lync: multiple vulnerabilities of Graphic

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Graphic of Windows, Office and Lync.
Impacted products: Lync, Office, Access, Office Communicator, Excel, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows RT, Windows Vista.
Severity: 4/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 10/06/2014.
Identifiers: 2967487, CERTFR-2014-AVI-267, CVE-2014-1817, CVE-2014-1818, MS14-036, VIGILANCE-VUL-14877.

Description of the vulnerability

Several vulnerabilities were announced in Windows, Office and Lync.

An attacker can generate a memory corruption in Unicode Script Processor (usp10.dll), in order to trigger a denial of service, and possibly to execute code. [severity:4/4; CVE-2014-1817]

An attacker can generate a memory corruption in GDI+, in order to trigger a denial of service, and possibly to execute code. [severity:4/4; CVE-2014-1818]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2014-1809

Microsoft Office: bypassing ASLR via MSCOMCTL

Synthesis of the vulnerability

An attacker can obtain memory addresses, to bypass ASLR, in order to facilitate the development of an attack tool.
Impacted products: Office, Access, Excel, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 13/05/2014.
Identifiers: 2961033, CERTFR-2014-AVI-222, CVE-2014-1809, MS14-024, VIGILANCE-VUL-14742.

Description of the vulnerability

The ASLR (Address Space Layout Randomization) feature loads programs at random memory addresses, so it's more difficult to exploit memory corruptions.

However, the Microsoft Office MSCOMCTL library uses fixed addresses.

An attacker can therefore obtain memory addresses, to bypass ASLR, in order to facilitate the development of an attack tool.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Project: