KLA11334 Multiple vulnerabilities in Microsoft Office

Multiple serious vulnerabilities were found in Microsoft Office. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, obtain sensitive information.

Below is a complete list of vulnerabilities:

1. An elevation of privilege vulnerability in Microsoft SharePoint can be exploited remotely via specially crafted web request to gain privileges.
2. A remote code execution vulnerability in Microsoft PowerPoint can be exploited remotely via specially crafted file to execute arbitrary code.
3. An information disclosure vulnerability in Microsoft Graphics Components can be exploited remotely via specially crafted file to obtain sensitive information.
4. An elevation of privilege vulnerability in Microsoft SharePoint can be exploited remotely via specially crafted web request to gain privileges.
5. A remote code execution vulnerability in Microsoft Graphics Components can be exploited remotely via specially crafted file to execute arbitrary code.
6. An elevation of privilege vulnerability in Microsoft SharePoint can be exploited remotely via specially crafted web requests to gain privileges.
7. An elevation of privilege vulnerability in Microsoft SharePoint can be exploited remotely via specially crafted web requests to gain privileges.
8. A remote code execution vulnerability in Microsoft Word can be exploited remotely via specially crafted file to execute arbitrary code.
9. A remote code execution vulnerability in Microsoft Excel can be exploited remotely via specially crafted file to execute arbitrary code.

Original advisories

CVE-2018-8488

CVE-2018-8501

CVE-2018-8427

CVE-2018-8518

CVE-2018-8432

CVE-2018-8498

CVE-2018-8480

CVE-2018-8504

CVE-2018-8502

ADV180026

Related products

Microsoft-Office

Microsoft-Excel

Microsoft-Word

CVE list

CVE-2018-8432 critical

CVE-2018-8427 warning

CVE-2018-8488 warning

CVE-2018-8501 critical

CVE-2018-8518 warning

CVE-2018-8498 warning

CVE-2018-8480 warning

CVE-2018-8504 critical

CVE-2018-8502 critical

KB list

4092464

4461448

4092481

4092482

4092477

4461466

4461447

4092444

4461449

4461457

4092439

4227167

4461460

4227170

4092453

4461450

4092437

4461440

4022138

4092483

4461437

4461434

4461445

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

• PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

Affected Products

• Microsoft Office 2013 Service Pack 1 (32-bit editions)Microsoft Excel 2013 RT Service Pack 1Microsoft Excel 2016 (64-bit edition)Microsoft Office 2010 Service Pack 2 (32-bit editions)Microsoft Excel 2010 Service Pack 2 (32-bit editions)Microsoft Office 2019 for 32-bit editionsMicrosoft Office 2013 RT Service Pack 1Microsoft Excel 2010 Service Pack 2 (64-bit editions)Microsoft Office 2016 (64-bit edition)Microsoft Office 2010 Service Pack 2 (64-bit editions)Microsoft Office 2013 Service Pack 1 (64-bit editions)Microsoft Office 2016 (32-bit edition)Microsoft Excel 2013 Service Pack 1 (32-bit editions)Office 365 ProPlus for 32-bit SystemsOffice 365 ProPlus for 64-bit SystemsMicrosoft Excel 2013 Service Pack 1 (64-bit editions)Microsoft Office 2019 for 64-bit editionsMicrosoft Excel 2016 (32-bit edition)