The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

vulnerability announce CVE-2016-0137 CVE-2016-0141 CVE-2016-3357

Microsoft Office: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Office.
Vulnerable products: Office, Access, Office Communicator, Excel, OneNote, Outlook, PowerPoint, Project, Publisher, MOSS, Visio, Word.
Severity of this weakness: 3/4.
Consequences of an attack: user access/rights, data reading, denial of service on client.
Hacker's origin: document.
Number of vulnerabilities in this bulletin: 13.
Creation date: 13/09/2016.
Revision date: 21/09/2016.
Références of this bulletin: 3185852, CERTFR-2016-AVI-309, CVE-2016-0137, CVE-2016-0141, CVE-2016-3357, CVE-2016-3358, CVE-2016-3359, CVE-2016-3360, CVE-2016-3361, CVE-2016-3362, CVE-2016-3363, CVE-2016-3364, CVE-2016-3365, CVE-2016-3366, CVE-2016-3381, MS16-107, VIGILANCE-VUL-20592, ZDI-16-508.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Office.

An attacker can bypass security features via Click-to-Run, in order to obtain sensitive information. [severity:1/4; CVE-2016-0137]

An attacker can bypass security features via Visual Basic Macros, in order to obtain sensitive information. [severity:2/4; CVE-2016-0141]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-3357]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-3358]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-3359]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-3360]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-3361]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-3362]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-3363]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-3364]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-3365, ZDI-16-508]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-3381]

An attacker can alter displayed information, in order to deceive the victim. [severity:2/4; CVE-2016-3366]
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides system vulnerability announces. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The Vigil@nce vulnerability database contains several thousand vulnerabilities.