The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Word

vulnerability note CVE-2015-2434 CVE-2015-2440 CVE-2015-2471

Windows, Office: three vulnerabilities of XML Core Services

Synthesis of the vulnerability

An attacker can use several vulnerabilities of XML Core Services of Windows.
Impacted products: Office, Access, Excel, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows RT, Windows Vista.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 11/08/2015.
Identifiers: 3080129, CERTFR-2015-AVI-338, CVE-2015-2434, CVE-2015-2440, CVE-2015-2471, MS15-084, VIGILANCE-VUL-17634, ZDI-15-381.

Description of the vulnerability

Several vulnerabilities were announced in XML Core Services used by Windows/Office.

An attacker can force the usage of SSLv2, in order to obtain sensitive information. [severity:2/4; CVE-2015-2434]

An attacker can guess the memory layout of a process, to bypass ASLR, in order to ease the next step of the attack. [severity:2/4; CVE-2015-2440, ZDI-15-381]

An attacker can force the usage of SSLv2, in order to obtain sensitive information. [severity:2/4; CVE-2015-2471]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2015-1642 CVE-2015-2423 CVE-2015-2466

Microsoft Office: eight vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Office.
Impacted products: Office, Access, Office Communicator, Excel, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 8.
Creation date: 11/08/2015.
Identifiers: 3080790, CERTFR-2015-AVI-335, CERTFR-2015-AVI-342, CVE-2015-1642, CVE-2015-2423, CVE-2015-2466, CVE-2015-2467, CVE-2015-2468, CVE-2015-2469, CVE-2015-2470, CVE-2015-2477, MS15-081, VIGILANCE-VUL-17631.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Office.

An attacker can force the usage of a freed memory area in CTaskSymbol, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-1642]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-2467]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-2468]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-2469]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-2477]

An attacker can use, for example from Internet Explorer, a special command line on Windows, in order to run some programs, such as Notepad or Office (VIGILANCE-VUL-17638). [severity:2/4; CERTFR-2015-AVI-342, CVE-2015-2423]

An attacker can use a malicious Template, in order to run code. [severity:3/4; CVE-2015-2466]

An attacker can generate an integer overflow, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-2470]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-2431 CVE-2015-2435 CVE-2015-2455

Microsoft Office: six vulnerabilities of Graphics Component

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Graphics Component of Microsoft Office.
Impacted products: Office, Access, Office Communicator, Excel, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word.
Severity: 4/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 6.
Creation date: 11/08/2015.
Identifiers: 3078662, CERTFR-2015-AVI-334, CVE-2015-2431, CVE-2015-2435, CVE-2015-2455, CVE-2015-2456, CVE-2015-2463, CVE-2015-2464, MS15-080, VIGILANCE-VUL-17628, ZDI-15-387, ZDI-15-388.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Office.

An attacker can generate a memory corruption in Office Graphics Library Font, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-2431]

An attacker can generate a memory corruption in TrueType, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-2435, ZDI-15-387]

An attacker can generate a memory corruption in TrueType, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-2455, ZDI-15-388]

An attacker can generate a memory corruption in TrueType, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-2456]

An attacker can generate a memory corruption in TrueType, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-2463]

An attacker can generate a memory corruption in TrueType, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2015-2464]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-2375 CVE-2015-2376 CVE-2015-2377

Microsoft Office: eight vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Office.
Impacted products: Office, Access, Office Communicator, Excel, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 8.
Creation date: 15/07/2015.
Identifiers: 3072620, CERTFR-2015-AVI-297, CVE-2015-2375, CVE-2015-2376, CVE-2015-2377, CVE-2015-2378, CVE-2015-2379, CVE-2015-2380, CVE-2015-2415, CVE-2015-2424, MS15-070, VIGILANCE-VUL-17360, ZDI-15-326, ZDI-15-327, ZDI-15-328.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Office.

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-2376, ZDI-15-326]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-2377, ZDI-15-327]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-2379]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-2380]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-2415]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-2424]

An attacker can guess the memory layout of a Microsoft Excel process, to bypass ASLR, in order to ease the next step of the attack. [severity:2/4; CVE-2015-2375, ZDI-15-328]

An attacker can invite the victim to open an Excel document from a directory containing a malicious DLL, in order to run code. [severity:3/4; CVE-2015-2378]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2015-1759 CVE-2015-1760 CVE-2015-1770

Microsoft Office: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Office.
Impacted products: Office, Access, Excel, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 10/06/2015.
Identifiers: 3064949, CERTFR-2015-AVI-246, CVE-2015-1759, CVE-2015-1760, CVE-2015-1770, MS15-059, VIGILANCE-VUL-17091.

Description of the vulnerability

Three vulnerabilities were announced in Microsoft Office.

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1759]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1760]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1770]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2015-1682 CVE-2015-1683

Microsoft Office: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Office.
Impacted products: Office, Access, Office Communicator, Excel, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, MOSS, Visio, Word.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 12/05/2015.
Identifiers: 3057181, CERTFR-2015-AVI-211, CVE-2015-1682, CVE-2015-1683, MS15-046, VIGILANCE-VUL-16887, ZDI-15-182.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Office.

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1682, ZDI-15-182]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1683]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-1639 CVE-2015-1641 CVE-2015-1649

Microsoft Office: five vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Office.
Impacted products: Office, Access, Office Communicator, Excel, OneNote, Outlook, PowerPoint, Project, Publisher, MOSS, Visio, Word.
Severity: 3/4.
Consequences: user access/rights, client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 14/04/2015.
Identifiers: 3048019, CERTFR-2015-AVI-151, CVE-2015-1639, CVE-2015-1641, CVE-2015-1649, CVE-2015-1650, CVE-2015-1651, MS15-033, VIGILANCE-VUL-16596, ZDI-15-132.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Office.

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1641]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1649]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1650, ZDI-15-132]

An attacker can force the usage of a freed memory area, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-1651]

An attacker can trigger a Cross Site Scripting in Microsoft Outlook App for Mac, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2015-1639]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-0085 CVE-2015-0086 CVE-2015-0097

Microsoft Office, SharePoint: five vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Office.
Impacted products: Office, Access, Excel, OneNote, Outlook, PowerPoint, Project, Publisher, MOSS, Visio, Word.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 10/03/2015.
Identifiers: 3038999, CERTFR-2015-AVI-098, CVE-2015-0085, CVE-2015-0086, CVE-2015-0097, CVE-2015-1633, CVE-2015-1636, MS15-022, VIGILANCE-VUL-16366, ZDI-15-088.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Office.

An attacker can force the usage of a freed memory area in Office, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-0085, ZDI-15-088]

An attacker can generate a memory corruption in Office, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-0086]

An attacker can generate a memory corruption in Office, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2015-0097]

An attacker can trigger a Cross Site Scripting in SharePoint, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2015-1633]

An attacker can trigger a Cross Site Scripting in SharePoint, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2015-1636]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 16288

Word: memory corruption via Line Formatting

Synthesis of the vulnerability

An attacker can generate a memory corruption of Word, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Office, Word.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 02/03/2015.
Identifiers: VIGILANCE-VUL-16288, ZDI-15-052.

Description of the vulnerability

A Word document is stored in a file with the "docx" extension.

However, a malformed docx file corrupts the memory.

An attacker can therefore generate a memory corruption of Word, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2014-6362

Microsoft Office: bypassing ASLR

Synthesis of the vulnerability

An attacker can bypass ASLR via Microsoft Office, in order to ease the exploitation of another vulnerability.
Impacted products: Office, Access, Excel, InfoPath, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 10/02/2015.
Identifiers: 3033857, CERTFR-2015-AVI-064, CVE-2014-6362, MS15-013, VIGILANCE-VUL-16163.

Description of the vulnerability

Systems use ASLR in order to randomize memory addresses used by programs and libraries.

However, Microsoft Office allows an attacker to bypass this security feature.

An attacker can therefore bypass ASLR via Microsoft Office, in order to ease the exploitation of another vulnerability.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Word: