KLA11267
Multiple vulnerabilities in Microsoft Office
Updated: 07/05/2018
CVSS
?
7.5
Detect date
?
06/12/2018
Severity
?
Critical
Description

Multiple serious vulnerabilities have been found in Microsoft Office. Malicious users can exploit these vulnerabilities to gain privileges, obtain sensitive information or execute arbitrary code.

Below is a complete list of vulnerabilities:

  1. An incorrect handling of requests in Microsoft SharePoint Server can be exploited remotely via a specially designed request to gain privileges;
  2. Multiple improper handling of objects in memory vulnerabilities in Microsoft Excel can be exploited locally via a specially designed document file to execute arbitrary code or obtain sensitive information;
  3. An incorrect handling of requests in Office Web Apps Server 2013 and Office Online Server can be exploited remotely via a specially designed request to gain privileges;
  4. An incorrect OLE objects instantiation in Microsoft Publisher can be exploited remotely via a specially designed request to gain privileges;
  5. An improper validation of attachment headers in Microsoft Outlook can be exploited remotely via a specially designed e-main message to gain privileges.
Affected products

Excel Services
Microsoft Excel 2010 Service Pack 2 (32-bit editions)
Microsoft Excel 2010 Service Pack 2 (64-bit editions)
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Excel Viewer
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2016 Click-to-Run (C2R) for 32-bit editions
Microsoft Office 2016 Click-to-Run (C2R) for 64-bit editions
Microsoft Office Compatibility Pack Service Pack 3
Microsoft Office Online Server 2016
Microsoft Office Web Apps Server 2010 Service Pack 2
Microsoft Office Web Apps Server 2013 Service Pack 1
Microsoft Outlook 2010 Service Pack 2 (32-bit editions)
Microsoft Outlook 2010 Service Pack 2 (64-bit editions)
Microsoft Outlook 2013 RT Service Pack 1
Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
Microsoft Outlook 2016 (32-bit edition)
Microsoft Outlook 2016 (64-bit edition)
Microsoft Project Server 2010 Service Pack 2
Microsoft Publisher 2010 Service Pack 2 (32-bit editions)
Microsoft Publisher 2010 Service Pack 2 (64-bit editions)
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2013 Service Pack 1
Word Automation Services

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Original advisories

CVE-2018-8254
CVE-2018-8248
ADV180015
CVE-2018-8246
CVE-2018-8252
CVE-2018-8247
CVE-2018-8245
CVE-2018-8244

Impacts
?
ACE 
[?]

OSI 
[?]

PE 
[?]
Related products
Microsoft Outlook
Microsoft Office
Microsoft Excel
CVE-IDS
?

CVE-2018-8244
CVE-2018-8245
CVE-2018-8247
CVE-2018-8252
CVE-2018-8246
CVE-2018-8248
CVE-2018-8254

Microsoft official advisories
CVE-2018-8254
CVE-2018-8248
ADV180015
CVE-2018-8246
CVE-2018-8252
CVE-2018-8247
CVE-2018-8245
CVE-2018-8244
KB list

4022209
4022197
3115248
4022182
4022179
4022205
4022190
4022199
3115197
4022196
4022174
4022173
4022160
4022151
4011186
4011026
4018387
4022210
4022169
4022177
4018391
4022183
4022191
4022203