KLA11287 Multiple vulnerabilities in Microsoft Office

Multiple vulnerabilities were found in Microsoft Office. Malicious users can exploit these vulnerabilities to execute arbitrary code, spoof user interface, bypass security restrictions, gain privileges.

Below is a complete list of vulnerabilities:

1. A tampering vulnerability in Microsoft Office can be exploited remotely to spoof user interface.
2. A remote code execution vulnerability in Microsoft Office can be exploited remotely to execute arbitrary code.
3. A remote code execution vulnerability in Skype for Business and Microsoft Lync can be exploited remotely to execute arbitrary code.
4. A remote code execution vulnerability in Microsoft Access can be exploited remotely to execute arbitrary code.
5. An elevation of privilege vulnerability in Microsoft SharePoint can be exploited remotely to gain privileges.
6. A security feature bypass vulnerability in Skype for Business and Lync can be exploited remotely to bypass security restrictions.
7. A remote code execution vulnerability in Microsoft SharePoint can be exploited remotely to execute arbitrary code.
8. A remote code execution vulnerability in Microsoft SharePoint Server can be exploited remotely to execute arbitrary code.

Original advisories

CVE-2018-8310

CVE-2018-8281

CVE-2018-8311

CVE-2018-8312

CVE-2018-8323

CVE-2018-8238

CVE-2018-8300

CVE-2018-8299

CVE-2018-8284

Related products

Microsoft-Access

Microsoft-Lync

Microsoft-Office

Microsoft-Excel

Microsoft-Word

Microsoft-SharePoint

CVE list

CVE-2018-8310 warning

CVE-2018-8281 critical

CVE-2018-8311 high

CVE-2018-8312 critical

CVE-2018-8323 warning

CVE-2018-8238 critical

CVE-2018-8300 high

CVE-2018-8299 warning

CVE-2018-8284 critical

KB list

4022224

4022200

4022225

4032214

4022202

4011202

4018351

4022221

4022228

4022218

4022243

4018338

4022235

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Skype for Business 2016 (32-bit)Microsoft Lync 2013 Service Pack 1 (32-bit)Microsoft Lync 2013 Service Pack 1 (64-bit)Skype for Business 2016 (64-bit)Microsoft Office Compatibility Pack Service Pack 3Microsoft PowerPoint ViewerMicrosoft Office Word ViewerMicrosoft Office 2016 for MacMicrosoft Office 2016 Click-to-Run (C2R) for 64-bit editionsMicrosoft Office 2016 Click-to-Run (C2R) for 32-bit editionsMicrosoft Excel ViewerMicrosoft SharePoint Foundation 2013 Service Pack 1Microsoft SharePoint Enterprise Server 2016Microsoft SharePoint Enterprise Server 2013 Service Pack 1Microsoft Office 2010 Service Pack 2 (32-bit editions)Microsoft Office 2010 Service Pack 2 (64-bit editions)Microsoft Word 2016 (32-bit edition)Microsoft Word 2013 Service Pack 1 (64-bit editions)Microsoft Word 2010 Service Pack 2 (64-bit editions)Microsoft Word 2010 Service Pack 2 (32-bit editions)Microsoft Word 2013 Service Pack 1 (32-bit editions)Microsoft Word 2013 RT Service Pack 1Microsoft Word 2016 (64-bit edition)Microsoft Access 2016 (32-bit edition)Microsoft Access 2016 (64-bit edition)Microsoft Access 2013 Service Pack 1 (32-bit editions)Microsoft Access 2013 Service Pack 1 (64-bit editions)Microsoft SharePoint Server 2013 Service Pack 1Microsoft Project Server 2013 Service Pack 1 (64-bit edition)Microsoft SharePoint Server 2010 Service Pack 2Microsoft SharePoint Foundation 2010 Service Pack 2Microsoft Project Server 2010 Service Pack 2