Microsoft reveals and patches Office vulnerability
Mimecast Research Labs discovered the vulnerability in Microsoft Office applications when using ActiveX control objects
9 January 2019 | 0
Microsoft has revealed an information disclosure vulnerability within Microsoft Office, which improperly discloses contents of its memory.
Exploitation of this vulnerability, which was discovered by Mimecast Research Labs, could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.
Mimecast Research Labs discovered the vulnerability in Microsoft Office applications when using ActiveX control objects.
According to the company, the vulnerability exists because the MSO.DLL appears to improperly disclose the contents of its process memory.
“An attacker who successfully exploits this vulnerability could obtain information to further compromise a user’s system (bypass ASLR) or to read sensitive and/or private information stored in memory such as passwords, certificates, http requests and domain/user information,” said Mimecast in a statement.
Microsoft said that to exploit the vulnerability, an attacker could craft a special document file and then convince the user to open it.
“An attacker must know the memory address location where the object was created.”
Microsoft has issued an update to address the vulnerability while Mimecast stated that it is not aware of any actual exploitation of the vulnerability.
IDG News Service