Microsoft Office PowerPoint 2010 - Invalid Pointer Reference
2016-09-21T00:00:00
ID EDB-ID:40406 Type exploitdb Reporter Google Security Research Modified 2016-09-21T00:00:00
Description
Microsoft Office PowerPoint 2010 - Invalid Pointer Reference. CVE-2016-3357. Dos exploit for Windows platform
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=866
The following crash was observed in Microsoft PowerPoint 2010 running under Windows 7 x86 with application verifier enabled.
File versions are:
mso.dll: 14.0.7166.5000
ppcore.dll: 14.0.7168.5000
Attached crashing file: 3525170180.ppt
Crashing context:
eax=1979aea0 ebx=1638bb50 ecx=1979aea0 edx=0024e340 esi=00000000 edi=00000000
eip=663088d8 esp=0024e330 ebp=0024e330 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
ppcore!DllGetLCID+0x18205e:
663088d8 ff7110 push dword ptr [ecx+10h] ds:0023:1979aeb0=????????
Call Stack:
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0024e330 663088cc 1979aea0 0024e46c 00000000 ppcore!DllGetLCID+0x18205e
0024e350 663072cb 0024e46c e437cde4 00000000 ppcore!DllGetLCID+0x182052
0024e4c8 662fcbda 1cd76fe8 0024e4f0 0024e574 ppcore!DllGetLCID+0x180a51
0024e598 662fc9ee 00000000 0024e5e0 0024e63e ppcore!DllGetLCID+0x176360
0024e5ac 662e82fd 0024e5e0 0024e63e e4362e14 ppcore!DllGetLCID+0x176174
00250738 662e7c88 17802ef8 073def40 1638bb50 ppcore!DllGetLCID+0x161a83
00250774 6619d3e9 002508a4 00250890 1638bb50 ppcore!DllGetLCID+0x16140e
Disassembly:
663088d2 55 push ebp
663088d3 8bec mov ebp,esp
663088d5 8b4d08 mov ecx,dword ptr [ebp+8]
663088d8 ff7110 push dword ptr [ecx+10h] ds:0023:1979aeb0=????????
The ecx register is pointing to invalid memory in this crash. Looking at the call stack and disassembly above we can see that this value was passed in as the first argument to the crashing function. The calling function obtained this value from a pointer in stack memory at 0x0024e46c + 0x10:
0:000> dd poi(0024e46c)
1cb7cfa0 00000000 1cb7cfa0 00000002 19045ea0
1cb7cfb0 1979aea0 00000000 00000000 00000000
We can verify that this is allocated memory and find the function that allocated it:
(address changed between runs and is now 0x1cb7cfa0)
0:000> !heap -p -a 1cb7cfa0
address 1cb7cfa0 found in
_DPH_HEAP_ROOT @ 1261000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
1d2b14e0: 1cb7cfa0 5c - 1cb7c000 2000
6f748e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
7719616e ntdll!RtlDebugAllocateHeap+0x00000030
7715a08b ntdll!RtlpAllocateHeap+0x000000c4
77125920 ntdll!RtlAllocateHeap+0x0000023a
72eaad1a vrfcore!VerifierSetAPIClassName+0x000000aa
701f16ac vfbasics+0x000116ac
641a6cca mso!Ordinal149+0x000078e0
66118132 ppcore!PPMain+0x00001244
662fcbda ppcore!DllGetLCID+0x00176360
662fc9ee ppcore!DllGetLCID+0x00176174
662e82fd ppcore!DllGetLCID+0x00161a83
Setting breakpoints on ppcore!DllGetLCID+0x00176360 and subsequent memory write access breakpoints at eax+0x10 (there are multiple hits) eventually resulted in the same file crashing with a different context:
eax=00000000 ebx=17c2cb50 ecx=00000000 edx=00000000 esi=1a36eea0 edi=1a36eea0
eip=6625a361 esp=0022e1d0 ebp=0022e1f8 iopl=0 nv up ei ng nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210293
ppcore!DllGetLCID+0xd3ae7:
6625a361 8b4870 mov ecx,dword ptr [eax+70h] ds:0023:00000070=????????
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0022e1f8 662d7d30 661813c4 ec3f4e62 00000000 ppcore!DllGetLCID+0xd3ae7
0022e220 663088e2 00000000 661813c4 0022e250 ppcore!DllGetLCID+0x1514b6
0022e230 663088cc 1a36eea0 0022e36c 00000000 ppcore!DllGetLCID+0x182068
0022e250 663072cb 0022e36c ec3f4f8a 00000000 ppcore!DllGetLCID+0x182052
0022e3c8 662fcbda 1c7a4fe8 0022e3f0 0022e474 ppcore!DllGetLCID+0x180a
Given the different crashing contexts related to timing when breakpoints are set I suspect this to be a heap corruption bug that Application Verifier does not detect.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40406.zip
{"id": "EDB-ID:40406", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Microsoft Office PowerPoint 2010 - Invalid Pointer Reference", "description": "Microsoft Office PowerPoint 2010 - Invalid Pointer Reference. CVE-2016-3357. Dos exploit for Windows platform", "published": "2016-09-21T00:00:00", "modified": "2016-09-21T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/40406/", "reporter": "Google Security Research", "references": [], "cvelist": ["CVE-2016-3357"], "lastseen": "2016-09-21T17:28:14", "viewCount": 10, "enchantments": {"score": {"value": 5.9, "vector": "NONE", "modified": "2016-09-21T17:28:14", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-3357"]}, {"type": "symantec", "idList": ["SMNTC-92786"]}, {"type": "mscve", "idList": ["MS:CVE-2016-3357"]}, {"type": "zdt", "idList": ["1337DAY-ID-24817"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310807361", "OPENVAS:1361412562310809044", "OPENVAS:1361412562310807367", "OPENVAS:1361412562310809043", "OPENVAS:1361412562310807366"]}, {"type": "nessus", "idList": ["SMB_NT_MS16-107.NASL", "MACOSX_MS16-107_OFFICE.NASL"]}, {"type": "mskb", "idList": ["KB3185852"]}, {"type": "kaspersky", "idList": ["KLA10874"]}], "modified": "2016-09-21T17:28:14", "rev": 2}, "vulnersScore": 5.9}, "sourceHref": "https://www.exploit-db.com/download/40406/", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=866\r\n\r\nThe following crash was observed in Microsoft PowerPoint 2010 running under Windows 7 x86 with application verifier enabled. \r\n\r\nFile versions are:\r\n mso.dll: 14.0.7166.5000\r\n ppcore.dll: 14.0.7168.5000\r\n\r\nAttached crashing file: 3525170180.ppt\r\n\r\nCrashing context:\r\n\r\neax=1979aea0 ebx=1638bb50 ecx=1979aea0 edx=0024e340 esi=00000000 edi=00000000\r\neip=663088d8 esp=0024e330 ebp=0024e330 iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206\r\nppcore!DllGetLCID+0x18205e:\r\n663088d8 ff7110 push dword ptr [ecx+10h] ds:0023:1979aeb0=????????\r\n\r\nCall Stack:\r\n\r\nChildEBP RetAddr Args to Child \r\nWARNING: Stack unwind information not available. Following frames may be wrong.\r\n0024e330 663088cc 1979aea0 0024e46c 00000000 ppcore!DllGetLCID+0x18205e\r\n0024e350 663072cb 0024e46c e437cde4 00000000 ppcore!DllGetLCID+0x182052\r\n0024e4c8 662fcbda 1cd76fe8 0024e4f0 0024e574 ppcore!DllGetLCID+0x180a51\r\n0024e598 662fc9ee 00000000 0024e5e0 0024e63e ppcore!DllGetLCID+0x176360\r\n0024e5ac 662e82fd 0024e5e0 0024e63e e4362e14 ppcore!DllGetLCID+0x176174\r\n00250738 662e7c88 17802ef8 073def40 1638bb50 ppcore!DllGetLCID+0x161a83\r\n00250774 6619d3e9 002508a4 00250890 1638bb50 ppcore!DllGetLCID+0x16140e\r\n\r\nDisassembly: \r\n\r\n663088d2 55 push ebp\r\n663088d3 8bec mov ebp,esp\r\n663088d5 8b4d08 mov ecx,dword ptr [ebp+8]\r\n663088d8 ff7110 push dword ptr [ecx+10h] ds:0023:1979aeb0=????????\r\n\r\nThe ecx register is pointing to invalid memory in this crash. Looking at the call stack and disassembly above we can see that this value was passed in as the first argument to the crashing function. The calling function obtained this value from a pointer in stack memory at 0x0024e46c + 0x10:\r\n\r\n0:000> dd poi(0024e46c)\r\n1cb7cfa0 00000000 1cb7cfa0 00000002 19045ea0\r\n1cb7cfb0 1979aea0 00000000 00000000 00000000\r\n\r\nWe can verify that this is allocated memory and find the function that allocated it:\r\n\r\n(address changed between runs and is now 0x1cb7cfa0)\r\n\r\n0:000> !heap -p -a 1cb7cfa0\r\n address 1cb7cfa0 found in\r\n _DPH_HEAP_ROOT @ 1261000\r\n in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\r\n 1d2b14e0: 1cb7cfa0 5c - 1cb7c000 2000\r\n 6f748e89 verifier!AVrfDebugPageHeapAllocate+0x00000229\r\n 7719616e ntdll!RtlDebugAllocateHeap+0x00000030\r\n 7715a08b ntdll!RtlpAllocateHeap+0x000000c4\r\n 77125920 ntdll!RtlAllocateHeap+0x0000023a\r\n 72eaad1a vrfcore!VerifierSetAPIClassName+0x000000aa\r\n 701f16ac vfbasics+0x000116ac\r\n 641a6cca mso!Ordinal149+0x000078e0\r\n 66118132 ppcore!PPMain+0x00001244\r\n 662fcbda ppcore!DllGetLCID+0x00176360\r\n 662fc9ee ppcore!DllGetLCID+0x00176174\r\n 662e82fd ppcore!DllGetLCID+0x00161a83\r\n\r\nSetting breakpoints on ppcore!DllGetLCID+0x00176360 and subsequent memory write access breakpoints at eax+0x10 (there are multiple hits) eventually resulted in the same file crashing with a different context:\r\n\r\neax=00000000 ebx=17c2cb50 ecx=00000000 edx=00000000 esi=1a36eea0 edi=1a36eea0\r\neip=6625a361 esp=0022e1d0 ebp=0022e1f8 iopl=0 nv up ei ng nz ac po cy\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210293\r\nppcore!DllGetLCID+0xd3ae7:\r\n6625a361 8b4870 mov ecx,dword ptr [eax+70h] ds:0023:00000070=????????\r\n\r\n0:000> kb\r\nChildEBP RetAddr Args to Child \r\nWARNING: Stack unwind information not available. Following frames may be wrong.\r\n0022e1f8 662d7d30 661813c4 ec3f4e62 00000000 ppcore!DllGetLCID+0xd3ae7\r\n0022e220 663088e2 00000000 661813c4 0022e250 ppcore!DllGetLCID+0x1514b6\r\n0022e230 663088cc 1a36eea0 0022e36c 00000000 ppcore!DllGetLCID+0x182068\r\n0022e250 663072cb 0022e36c ec3f4f8a 00000000 ppcore!DllGetLCID+0x182052\r\n0022e3c8 662fcbda 1c7a4fe8 0022e3f0 0022e474 ppcore!DllGetLCID+0x180a\r\n\r\nGiven the different crashing contexts related to timing when breakpoints are set I suspect this to be a heap corruption bug that Application Verifier does not detect.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40406.zip\r\n", "osvdbidlist": []}
{"cve": [{"lastseen": "2020-10-03T12:10:44", "description": "Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office 2013 RT SP1, Office 2016, Word for Mac 2011, Word 2016 for Mac, Word Viewer, Word Automation Services on SharePoint Server 2010 SP2, SharePoint Server 2013 SP1, Excel Automation Services on SharePoint Server 2013 SP1, Word Automation Services on SharePoint Server 2013 SP1, Office Web Apps 2010 SP2, and Office Web Apps Server 2013 SP1 allow remote attackers to execute arbitrary code via a crafted document, aka \"Microsoft Office Memory Corruption Vulnerability.\"", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-09-14T10:59:00", "title": "CVE-2016-3357", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3357"], "modified": "2018-10-30T16:27:00", "cpe": ["cpe:/a:microsoft:word_for_mac:2016", "cpe:/a:microsoft:word_viewer:*", "cpe:/a:microsoft:office_web_apps_server:2013", "cpe:/a:microsoft:sharepoint_foundation:2013", "cpe:/a:microsoft:office:2007", "cpe:/a:microsoft:office:2010", "cpe:/a:microsoft:sharepoint_foundation:2010", "cpe:/a:microsoft:office_web_apps:2010", "cpe:/a:microsoft:word_for_mac:2011", "cpe:/a:microsoft:office:2013", "cpe:/a:microsoft:office:2016"], "id": "CVE-2016-3357", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3357", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:word_for_mac:2016:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:word_for_mac:2011:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2010:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office_web_apps_server:2013:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_foundation:2013:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:word_viewer:*:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:sharepoint_foundation:2010:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office_web_apps:2010:sp2:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2018-03-11T18:49:02", "bulletinFamily": "software", "cvelist": ["CVE-2016-3357"], "description": "### Description\n\nMicrosoft Office is prone to a remote memory-corruption vulnerability because it fails to properly handle objects in memory. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Excel Automation Services on Microsoft SharePoint Server 2013 SP1 \n * Microsoft Office 2007 SP3 \n * Microsoft Office 2010 Service Pack 2 (32-bit editions) \n * Microsoft Office 2010 Service Pack 2 (64-bit editions) \n * Microsoft Office 2013 RT Service Pack 1 \n * Microsoft Office 2013 Service Pack 1 (32-bit editions) \n * Microsoft Office 2013 Service Pack 1 (64-bit editions) \n * Microsoft Office 2016 (32-bit edition) \n * Microsoft Office 2016 (64-bit edition) \n * Microsoft Office Web Apps 2010 SP2 \n * Microsoft Office Web Apps Server 2013 SP1 \n * Microsoft SharePoint Server 2013 SP1 \n * Microsoft Word 2016 for Mac \n * Microsoft Word Automation Services on Microsoft SharePoint Server 2010 SP2 \n * Microsoft Word Automation Services on Microsoft SharePoint Server 2013 Service Pack 1 \n * Microsoft Word Viewer \n * Microsoft Word for Mac 2011 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2016-09-13T00:00:00", "published": "2016-09-13T00:00:00", "id": "SMNTC-92786", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/92786", "type": "symantec", "title": "Microsoft Office CVE-2016-3357 Memory Corruption Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mscve": [{"lastseen": "2020-08-07T11:48:17", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-3357"], "description": "A remote code execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n\nExploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.\n\nNote that where severity is indicated as Critical in the Affected Products table, the Preview Pane is an attack vector.\n\nThe security update addresses the vulnerability by correcting how Office handles objects in memory.\n", "edition": 3, "modified": "2016-09-22T07:00:00", "id": "MS:CVE-2016-3357", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3357", "published": "2016-09-22T07:00:00", "title": "Microsoft Office Memory Corruption Vulnerability", "type": "mscve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-04-11T11:49:50", "description": "Exploit for windows platform in category dos / poc", "edition": 2, "published": "2016-09-21T00:00:00", "type": "zdt", "title": "Microsoft Office PowerPoint 2010 - Invalid Pointer Reference", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3357"], "modified": "2016-09-21T00:00:00", "id": "1337DAY-ID-24817", "href": "https://0day.today/exploit/description/24817", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=866\r\n \r\nThe following crash was observed in Microsoft PowerPoint 2010 running under Windows 7 x86 with application verifier enabled. \r\n \r\nFile versions are:\r\n mso.dll: 14.0.7166.5000\r\n ppcore.dll: 14.0.7168.5000\r\n \r\nAttached crashing file: 3525170180.ppt\r\n \r\nCrashing context:\r\n \r\neax=1979aea0 ebx=1638bb50 ecx=1979aea0 edx=0024e340 esi=00000000 edi=00000000\r\neip=663088d8 esp=0024e330 ebp=0024e330 iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206\r\nppcore!DllGetLCID+0x18205e:\r\n663088d8 ff7110 push dword ptr [ecx+10h] ds:0023:1979aeb0=????????\r\n \r\nCall Stack:\r\n \r\nChildEBP RetAddr Args to Child \r\nWARNING: Stack unwind information not available. Following frames may be wrong.\r\n0024e330 663088cc 1979aea0 0024e46c 00000000 ppcore!DllGetLCID+0x18205e\r\n0024e350 663072cb 0024e46c e437cde4 00000000 ppcore!DllGetLCID+0x182052\r\n0024e4c8 662fcbda 1cd76fe8 0024e4f0 0024e574 ppcore!DllGetLCID+0x180a51\r\n0024e598 662fc9ee 00000000 0024e5e0 0024e63e ppcore!DllGetLCID+0x176360\r\n0024e5ac 662e82fd 0024e5e0 0024e63e e4362e14 ppcore!DllGetLCID+0x176174\r\n00250738 662e7c88 17802ef8 073def40 1638bb50 ppcore!DllGetLCID+0x161a83\r\n00250774 6619d3e9 002508a4 00250890 1638bb50 ppcore!DllGetLCID+0x16140e\r\n \r\nDisassembly: \r\n \r\n663088d2 55 push ebp\r\n663088d3 8bec mov ebp,esp\r\n663088d5 8b4d08 mov ecx,dword ptr [ebp+8]\r\n663088d8 ff7110 push dword ptr [ecx+10h] ds:0023:1979aeb0=????????\r\n \r\nThe ecx register is pointing to invalid memory in this crash. Looking at the call stack and disassembly above we can see that this value was passed in as the first argument to the crashing function. The calling function obtained this value from a pointer in stack memory at 0x0024e46c + 0x10:\r\n \r\n0:000> dd poi(0024e46c)\r\n1cb7cfa0 00000000 1cb7cfa0 00000002 19045ea0\r\n1cb7cfb0 1979aea0 00000000 00000000 00000000\r\n \r\nWe can verify that this is allocated memory and find the function that allocated it:\r\n \r\n(address changed between runs and is now 0x1cb7cfa0)\r\n \r\n0:000> !heap -p -a 1cb7cfa0\r\n address 1cb7cfa0 found in\r\n _DPH_HEAP_ROOT @ 1261000\r\n in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\r\n 1d2b14e0: 1cb7cfa0 5c - 1cb7c000 2000\r\n 6f748e89 verifier!AVrfDebugPageHeapAllocate+0x00000229\r\n 7719616e ntdll!RtlDebugAllocateHeap+0x00000030\r\n 7715a08b ntdll!RtlpAllocateHeap+0x000000c4\r\n 77125920 ntdll!RtlAllocateHeap+0x0000023a\r\n 72eaad1a vrfcore!VerifierSetAPIClassName+0x000000aa\r\n 701f16ac vfbasics+0x000116ac\r\n 641a6cca mso!Ordinal149+0x000078e0\r\n 66118132 ppcore!PPMain+0x00001244\r\n 662fcbda ppcore!DllGetLCID+0x00176360\r\n 662fc9ee ppcore!DllGetLCID+0x00176174\r\n 662e82fd ppcore!DllGetLCID+0x00161a83\r\n \r\nSetting breakpoints on ppcore!DllGetLCID+0x00176360 and subsequent memory write access breakpoints at eax+0x10 (there are multiple hits) eventually resulted in the same file crashing with a different context:\r\n \r\neax=00000000 ebx=17c2cb50 ecx=00000000 edx=00000000 esi=1a36eea0 edi=1a36eea0\r\neip=6625a361 esp=0022e1d0 ebp=0022e1f8 iopl=0 nv up ei ng nz ac po cy\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210293\r\nppcore!DllGetLCID+0xd3ae7:\r\n6625a361 8b4870 mov ecx,dword ptr [eax+70h] ds:0023:00000070=????????\r\n \r\n0:000> kb\r\nChildEBP RetAddr Args to Child \r\nWARNING: Stack unwind information not available. Following frames may be wrong.\r\n0022e1f8 662d7d30 661813c4 ec3f4e62 00000000 ppcore!DllGetLCID+0xd3ae7\r\n0022e220 663088e2 00000000 661813c4 0022e250 ppcore!DllGetLCID+0x1514b6\r\n0022e230 663088cc 1a36eea0 0022e36c 00000000 ppcore!DllGetLCID+0x182068\r\n0022e250 663072cb 0022e36c ec3f4f8a 00000000 ppcore!DllGetLCID+0x182052\r\n0022e3c8 662fcbda 1c7a4fe8 0022e3f0 0022e474 ppcore!DllGetLCID+0x180a\r\n \r\nGiven the different crashing contexts related to timing when breakpoints are set I suspect this to be a heap corruption bug that Application Verifier does not detect.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40406.zip\n\n# 0day.today [2018-04-11] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/24817"}], "openvas": [{"lastseen": "2020-06-10T19:48:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3357"], "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS16-107.", "modified": "2020-06-08T00:00:00", "published": "2016-09-14T00:00:00", "id": "OPENVAS:1361412562310809044", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809044", "type": "openvas", "title": "Microsoft SharePoint Server WAS Remote Code Execution Vulnerability (3115466)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft SharePoint Server WAS Remote Code Execution Vulnerability (3115466)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:sharepoint_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809044\");\n script_version(\"2020-06-08T14:40:48+0000\");\n script_cve_id(\"CVE-2016-3357\");\n script_bugtraq_id(92786);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-08 14:40:48 +0000 (Mon, 08 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-09-14 10:24:16 +0530 (Wed, 14 Sep 2016)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft SharePoint Server WAS Remote Code Execution Vulnerability (3115466)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS16-107.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Office software fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to run arbitrary code in the context of the current user.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft SharePoint Server 2010 Service Pack 2 Word Automation Services\n\n - Microsoft SharePoint Server 2013 Service Pack 1 Word Automation Services\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3115443\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3115466\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-107\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_sharepoint_sever_n_foundation_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/SharePoint/Server/Ver\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif( ! infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE ) ) exit( 0 );\nshareVer = infos['version'];\npath = infos['location'];\nif(!path || \"Could not find the install location\" >< path){\n exit(0);\n}\n\n## SharePoint Server 2010\nif(shareVer =~ \"^14\\..*\")\n{\n dllVer2 = fetch_file_version(sysPath:path,\n file_name:\"\\14.0\\WebServices\\WordServer\\Core\\sword.dll\");\n if(dllVer2)\n {\n if(version_in_range(version:dllVer2, test_version:\"14.0\", test_version2:\"14.0.7172.4999\"))\n {\n report = 'File checked: ' + path + \"\\14.0\\WebServices\\WordServer\\Core\\sword.dll\" + '\\n' +\n 'File version: ' + dllVer2 + '\\n' +\n 'Vulnerable range: ' + \"14.0 - 14.0.7172.4999\" + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n}\n\n## SharePoint Server 2013\nif(shareVer =~ \"^15\\..*\")\n{\n dllVer2 = fetch_file_version(sysPath:path,\n file_name:\"\\15.0\\WebServices\\ConversionServices\\sword.dll\");\n if(dllVer2)\n {\n if(version_in_range(version:dllVer2, test_version:\"15.0\", test_version2:\"15.0.4859.999\"))\n {\n report = 'File checked: ' + path + \"\\15.0\\WebServices\\ConversionServices\\sword.dll\"+ '\\n' +\n 'File version: ' + dllVer2 + '\\n' +\n 'Vulnerable range: ' + \"15.0 - 15.0.4859.999\" + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n}\n\nexit(99);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-10T19:47:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0141", "CVE-2016-3357"], "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS16-107", "modified": "2020-06-08T00:00:00", "published": "2016-09-14T00:00:00", "id": "OPENVAS:1361412562310807367", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807367", "type": "openvas", "title": "Microsoft Office Multiple Remote Code Execution Vulnerabilities-3185852(Mac OS X)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office Multiple Remote Code Execution Vulnerabilities-3185852(Mac OS X)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:office\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807367\");\n script_version(\"2020-06-08T14:40:48+0000\");\n script_cve_id(\"CVE-2016-0141\", \"CVE-2016-3357\");\n script_bugtraq_id(92903, 92786);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-08 14:40:48 +0000 (Mon, 08 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-09-14 14:45:19 +0530 (Wed, 14 Sep 2016)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Multiple Remote Code Execution Vulnerabilities-3185852(Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS16-107\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist as office software\n fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2011 on Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Apply the patch from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3186807\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3186805\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-107\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gb_microsoft_office_detect_macosx.nasl\");\n script_mandatory_keys(\"MS/Office/MacOSX/Ver\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nif(!offVer = get_kb_item(\"MS/Office/MacOSX/Ver\")){\n exit(0);\n}\n\nif(offVer && offVer =~ \"^(14\\.)\")\n{\n if(version_is_less(version:offVer, test_version:\"14.6.7\"))\n {\n report = 'File version: ' + offVer + '\\n' +\n 'Vulnerable range: 14.1.0 - 14.6.7 ' + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n}\n\nif(offVer =~ \"^(15\\.)\" && version_is_less(version:offVer, test_version:\"15.25.0\"))\n{\n report = 'File version: ' + offVer + '\\n' +\n 'Vulnerable range: 15.0 - 15.25.0 ' + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:59:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3360", "CVE-2016-3357"], "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS16-107.", "modified": "2019-12-20T00:00:00", "published": "2016-09-14T00:00:00", "id": "OPENVAS:1361412562310807366", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807366", "type": "openvas", "title": "Microsoft Office Web Apps Multiple Vulnerabilities (3185852)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office Web Apps Multiple Vulnerabilities (3185852)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:office_web_apps\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807366\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2016-3360\", \"CVE-2016-3357\");\n script_bugtraq_id(92785, 92786);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-09-14 14:28:28 +0530 (Wed, 14 Sep 2016)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Web Apps Multiple Vulnerabilities (3185852)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS16-107.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - Office software fails to properly handle objects in memory.\n\n - Office software improperly handles the parsing of file formats.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to bypass certain security restrictions and execute arbitrary code\n on affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Office Web Apps 2010 Service Pack 2 and prior\n\n - Microsoft Office Web Apps Server 2013 Service Pack 1 and prior\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3115472\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3118270\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-107\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_office_web_apps_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/Office/Web/Apps/Ver\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif( ! infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE ) ) exit( 0 );\nwebappVer = infos['version'];\npath = infos['location'];\nif(!path || \"Could not find the install location\" >< path){\n exit(0);\n}\n\n## Microsoft Office Web Apps 2010 and 2013\nif(webappVer =~ \"^(14|15)\\..*\")\n{\n dllVer = fetch_file_version(sysPath:path,\n file_name:\"\\14.0\\WebServices\\ConversionService\\Bin\\Converter\\sword.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.7172.4999\"))\n {\n report = 'File checked: ' + path + \"14.0\\WebServices\\ConversionService\\Bin\\Converter\\sword.dll\" + '\\n' +\n 'File version: ' + dllVer + '\\n' +\n 'Vulnerable range: ' + \"14.0 - 14.0.7172.4999\" + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n\n dllVer1 = fetch_file_version(sysPath:path,\n file_name:\"\\15.0\\WebServices\\ConversionService\\Bin\\Converter\\sword.dll\");\n if(dllVer1)\n {\n if(version_in_range(version:dllVer1, test_version:\"15.0\", test_version2:\"15.0.4859.0999\"))\n {\n report = 'File checked: ' + path + \"15.0\\WebServices\\ConversionService\\Bin\\Converter\\sword.dll\" + '\\n' +\n 'File version: ' + dllVer1 + '\\n' +\n 'Vulnerable range: ' + \"15.0 - 15.0.4859.0999\" + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:58:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0141", "CVE-2016-3357", "CVE-2016-0137"], "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS16-107.", "modified": "2019-12-20T00:00:00", "published": "2016-09-14T00:00:00", "id": "OPENVAS:1361412562310807361", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807361", "type": "openvas", "title": "Microsoft Office Suite Remote Code Execution Vulnerabilities (3185852)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office Suite Remote Code Execution Vulnerabilities (3185852)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807361\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2016-0137\", \"CVE-2016-0141\", \"CVE-2016-3357\");\n script_bugtraq_id(92903, 92786);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-09-14 11:55:19 +0530 (Wed, 14 Sep 2016)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Suite Remote Code Execution Vulnerabilities (3185852)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS16-107.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist as office software\n fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Office 2003 Service Pack 3\n\n - Microsoft Office 2010 Service Pack 2\n\n - Microsoft Office 2013 Service Pack 1\n\n - Microsoft Office 2016 Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3118268\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3118292\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/2553432\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3118297\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3118309\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-107\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## MS Office\noffVer = get_kb_item(\"MS/Office/Ver\");\nif(!offVer){\n exit(0);\n}\n\npath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"CommonFilesDir\");\nif(!path){\n exit(0);\n}\n\nif(offVer =~ \"^(11|14|15|16)\\..*\")\n{\n foreach offsubver (make_list(\"Office11\", \"Office15\", \"Office14\", \"Office16\"))\n {\n offPath = path + \"\\Microsoft Shared\\\" + offsubver;\n offexeVer = fetch_file_version(sysPath:offPath, file_name:\"Mso.dll\");\n if(offexeVer)\n {\n if(offexeVer =~ \"^11\"){\n Vulnerable_range3 = \"11.0 - 11.0.8433\";\n }\n else if(offexeVer =~ \"^14\"){\n Vulnerable_range3 = \"14 - 14.0.7173.0999\";\n }\n else if(offexeVer =~ \"^15\"){\n Vulnerable_range3 = \"15 - 15.0.4859.0999\";\n }\n else if(offexeVer =~ \"^16\"){\n Vulnerable_range3 = \"16 - 16.0.4432.0999\";\n }\n\n if(version_in_range(version:offexeVer, test_version:\"11.0\", test_version2:\"11.0.8433\") ||\n version_in_range(version:offexeVer, test_version:\"14.0\", test_version2:\"14.0.7173.0999\") ||\n version_in_range(version:offexeVer, test_version:\"15.0\", test_version2:\"15.0.4859.0999\") ||\n version_in_range(version:offexeVer, test_version:\"16.0\", test_version2:\"16.0.4432.0999\"))\n {\n report = 'File checked: ' + offPath + \"\\Mso.dll\" + '\\n' +\n 'File version: ' + offexeVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range3 + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:59:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3357", "CVE-2016-3362", "CVE-2016-3358", "CVE-2016-3365"], "description": "This host is missing an important security\n update according to Microsoft Bulletin MS16-107.", "modified": "2019-12-20T00:00:00", "published": "2016-09-14T00:00:00", "id": "OPENVAS:1361412562310809043", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809043", "type": "openvas", "title": "MS SharePoint Server Excel Services Multiple Remote Code Execution Vulnerabilities (3115112)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# MS SharePoint Server Excel Services Multiple Remote Code Execution Vulnerabilities (3115112)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:sharepoint_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809043\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2016-3357\", \"CVE-2016-3358\", \"CVE-2016-3362\", \"CVE-2016-3365\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-09-14 10:24:16 +0530 (Wed, 14 Sep 2016)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"MS SharePoint Server Excel Services Multiple Remote Code Execution Vulnerabilities (3115112)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS16-107.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws occurs,\n\n - When the Office software fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a\n context-dependent attacker to execute arbitrary code on in the context of\n the current user and could take control of the affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft SharePoint Server 2007 Service Pack 3 Excel Services\n\n - Microsoft SharePoint Server 2010 Service Pack 2 Excel Services\n\n - Microsoft SharePoint Server 2013 Service Pack 1 Excel Automation Services\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3115112\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3115169\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/ms16-107\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_sharepoint_sever_n_foundation_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/SharePoint/Server/Ver\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif( ! infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE ) ) exit( 0 );\nshareVer = infos['version'];\npath = infos['location'];\nif(!path || \"Could not find the install location\" >< path){\n exit(0);\n}\n\n## SharePoint Server 2007\nif(shareVer =~ \"^12\\..*\")\n{\n path = path + \"\\12.0\\Bin\";\n\n dllVer = fetch_file_version(sysPath:path, file_name:\"xlsrv.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"12.0\", test_version2:\"12.0.6650.4999\"))\n {\n report = 'File checked: ' + path + \"\\xlsrv.dll\" + '\\n' +\n 'File version: ' + dllVer + '\\n' +\n 'Vulnerable range: ' + \"12.0 - 12.0.6650.4999\" + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n}\n\n## SharePoint Server 2010\nif(shareVer =~ \"^14\\..*\")\n{\n path = path + \"\\14.0\\Bin\";\n\n dllVer = fetch_file_version(sysPath:path, file_name:\"xlsrv.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.7173.4999\"))\n {\n report = 'File checked: ' + path + \"\\xlsrv.dll\" + '\\n' +\n 'File version: ' + dllVer + '\\n' +\n 'Vulnerable range: ' + \"14.0 - 14.0.7173.4999\" + '\\n' ;\n\n security_message(data:report);\n exit(0);\n }\n }\n}\n\n## SharePoint Server 2013\nif(shareVer =~ \"^15\\..*\")\n{\n path = path + \"\\15.0\\Bin\";\n\n dllVer = fetch_file_version(sysPath:path, file_name:\"xlsrv.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"15.0\", test_version2:\"15.0.4859.999\"))\n {\n report = 'File checked: ' + path + \"\\xlsrv.dll\" + '\\n' +\n 'File version: ' + dllVer + '\\n' +\n 'Vulnerable range: ' + \"15.0 - 15.0.4859.999\" + '\\n' ;\n\n security_message(data:report);\n exit(0);\n }\n }\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T03:40:16", "description": "The version of Microsoft Office installed on the remote Mac OS X host\nis affected by multiple remote code execution vulnerabilities due to\nimproper handling of objects in memory. An unauthenticated, remote\nattacker can exploit these vulnerabilities by convincing a user to\nopen a specially crafted Office file, resulting in the execution of\narbitrary code in the context of the current user.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-09-15T00:00:00", "title": "MS16-107: Security Update for Microsoft Office (3185852) (Mac OS X)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3360", "CVE-2016-3357", "CVE-2016-3358"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:microsoft:word_for_mac", "cpe:/a:microsoft:office", "cpe:/a:microsoft:powerpoint_for_mac", "cpe:/a:microsoft:excel_for_mac", "cpe:/a:microsoft:outlook_for_mac"], "id": "MACOSX_MS16-107_OFFICE.NASL", "href": "https://www.tenable.com/plugins/nessus/93532", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93532);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\"CVE-2016-3357\", \"CVE-2016-3358\", \"CVE-2016-3360\");\n script_bugtraq_id(92786, 92791, 92796);\n script_xref(name:\"MSFT\", value:\"MS16-107\");\n script_xref(name:\"IAVA\", value:\"2016-A-0243\");\n script_xref(name:\"MSKB\", value:\"3186805\");\n script_xref(name:\"MSKB\", value:\"3186807\");\n\n script_name(english:\"MS16-107: Security Update for Microsoft Office (3185852) (Mac OS X)\");\n script_summary(english:\"Checks the version of Microsoft Office.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote Mac OS X host is affected by\nmultiple remote code execution vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Office installed on the remote Mac OS X host\nis affected by multiple remote code execution vulnerabilities due to\nimproper handling of objects in memory. An unauthenticated, remote\nattacker can exploit these vulnerabilities by convincing a user to\nopen a specially crafted Office file, resulting in the execution of\narbitrary code in the context of the current user.\");\n script_set_attribute(attribute:\"see_also\",value:\"https://technet.microsoft.com/library/security/MS16-107\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Office for Mac 2011, Word\nfor Mac 2011, Office 2016 for Mac, Word 2016, Excel 2016 for Mac,\nPowerPoint 2016 for Mac, and Outlook 2016 for Mac.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\",value:\"2016/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\",value:\"2016/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/15\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word_for_mac\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel_for_mac\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:powerpoint_for_mac\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:outlook_for_mac\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_office_installed.nbin\");\n script_require_keys(\"Host/MacOSX/Version\");\n script_require_ports(\n \"installed_sw/Office for Mac 2011\",\n \"installed_sw/Microsoft Outlook\",\n \"installed_sw/Microsoft Excel\",\n \"installed_sw/Microsoft Word\",\n \"installed_sw/Microsoft PowerPoint\",\n \"installed_sw/Microsoft OneNote\"\n );\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\n# Office 2011\napps = make_list(\n \"Office for Mac 2011\",\n \"Microsoft Outlook\",\n \"Microsoft Excel\",\n \"Microsoft Word\",\n \"Microsoft PowerPoint\",\n \"Microsoft OneNote\"\n);\n\nreport = \"\";\n\nforeach app (apps)\n{\n installs = get_installs(app_name:app);\n if (isnull(installs[1])) continue;\n foreach install (installs[1])\n {\n version = install['version'];\n path = install['path'];\n app_label = app;\n if (version =~ \"^14\\.\")\n {\n if (app !~ \" for Mac 2011$\") app_label += \" for Mac 2011\";\n fix = '14.6.8';\n }\n else\n {\n if (version =~ \"^15\\.\") app_label += \" for Mac 2016\";\n fix = '15.26.0';\n }\n\n if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n {\n report +=\n '\\n Product : ' + app_label +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix;\n\n os = get_kb_item(\"Host/MacOSX/Version\");\n\n if (os =~ \"^Mac OS X 10\\.[0-9](\\.|$)\" && app_label =~ \" for Mac 2016$\")\n report += '\\n Note : Update will require Mac OS X 10.10.0 or later.\\n';\n else report += '\\n';\n }\n }\n}\n\n# Report findings.\nif (!empty(report))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:report);\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:43:52", "description": "The Microsoft Office application installed on the remote Windows host\nis missing a security update. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An information disclosure vulnerability exists in the\n the Click-to-Run (C2R) components due to improper\n handling of objects in memory. An authenticated, remote\n attacker can exploit this, via a specially crafted\n application, to obtain sensitive information and thereby\n bypass the Address Space Layout Randomization (ASLR)\n security feature. (CVE-2016-0137)\n\n - An information disclosure vulnerability exists due to\n Visual Basic macros improperly exporting a user's private\n key from the certificate store while saving a document.\n An unauthenticated, remote attacker can exploit this,\n by convincing a user to provide the saved document, to\n gain access to the user's private key. (CVE-2016-0141)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Office software due to improper handling of\n objects in memory. A remote attacker can exploit these,\n by convincing a user to open a specially crafted Office\n file, to execute arbitrary code in the context of the\n current user. (CVE-2016-3357, CVE-2016-3358,\n CVE-2016-3359, CVE-2016-3360, CVE-2016-3361,\n CVE-2016-3362, CVE-2016-3363, CVE-2016-3364,\n CVE-2016-3365, CVE-2016-3381)\n\n - A spoofing vulnerability exists in Microsoft Outlook due\n to a failure to conform to RFC2046 and properly identify\n the end of a MIME attachment. An unauthenticated, remote\n attacker can exploit this, by convincing a user to open\n a specially crafted email attachment, to cause antivirus\n or antispam security features to fail. (CVE-2016-3366)", "edition": 27, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-09-14T00:00:00", "title": "MS16-107: Security Update for Microsoft Office (3185852)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3359", "CVE-2016-3364", "CVE-2016-0141", "CVE-2016-3381", "CVE-2016-3360", "CVE-2016-3363", "CVE-2016-3357", "CVE-2016-0137", "CVE-2016-3361", "CVE-2016-3362", "CVE-2016-3358", "CVE-2016-3365", "CVE-2016-3366"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:microsoft:office_online_server", "cpe:/a:microsoft:sharepoint_server", "cpe:/a:microsoft:powerpoint_viewer", "cpe:/a:microsoft:word_viewer", "cpe:/a:microsoft:excel_viewer", "cpe:/a:microsoft:powerpoint", "cpe:/a:microsoft:visio", "cpe:/a:microsoft:outlook", "cpe:/a:microsoft:office", "cpe:/a:microsoft:office_web_apps", "cpe:/a:microsoft:excel"], "id": "SMB_NT_MS16-107.NASL", "href": "https://www.tenable.com/plugins/nessus/93481", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93481);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/07/30 15:31:34\");\n\n script_cve_id(\n \"CVE-2016-0137\",\n \"CVE-2016-0141\",\n \"CVE-2016-3357\",\n \"CVE-2016-3358\",\n \"CVE-2016-3359\",\n \"CVE-2016-3360\",\n \"CVE-2016-3361\",\n \"CVE-2016-3362\",\n \"CVE-2016-3363\",\n \"CVE-2016-3364\",\n \"CVE-2016-3365\",\n \"CVE-2016-3366\",\n \"CVE-2016-3381\"\n );\n script_bugtraq_id(\n 92785,\n 92786,\n 92791,\n 92795,\n 92796,\n 92798,\n 92799,\n 92801,\n 92803,\n 92804,\n 92805,\n 92831,\n 92903\n );\n script_xref(name:\"MSFT\", value:\"MS16-107\");\n script_xref(name:\"MSKB\", value:\"2553432\");\n script_xref(name:\"MSKB\", value:\"2597974\");\n script_xref(name:\"MSKB\", value:\"3054862\");\n script_xref(name:\"MSKB\", value:\"3054969\");\n script_xref(name:\"MSKB\", value:\"3114744\");\n script_xref(name:\"MSKB\", value:\"3115112\");\n script_xref(name:\"MSKB\", value:\"3115119\");\n script_xref(name:\"MSKB\", value:\"3115169\");\n script_xref(name:\"MSKB\", value:\"3115443\");\n script_xref(name:\"MSKB\", value:\"3115459\");\n script_xref(name:\"MSKB\", value:\"3115462\");\n script_xref(name:\"MSKB\", value:\"3115463\");\n script_xref(name:\"MSKB\", value:\"3115466\");\n script_xref(name:\"MSKB\", value:\"3115467\");\n script_xref(name:\"MSKB\", value:\"3115472\");\n script_xref(name:\"MSKB\", value:\"3115487\");\n script_xref(name:\"MSKB\", value:\"3118268\");\n script_xref(name:\"MSKB\", value:\"3118270\");\n script_xref(name:\"MSKB\", value:\"3118280\");\n script_xref(name:\"MSKB\", value:\"3118284\");\n script_xref(name:\"MSKB\", value:\"3118290\");\n script_xref(name:\"MSKB\", value:\"3118292\");\n script_xref(name:\"MSKB\", value:\"3118293\");\n script_xref(name:\"MSKB\", value:\"3118297\");\n script_xref(name:\"MSKB\", value:\"3118299\");\n script_xref(name:\"MSKB\", value:\"3118300\");\n script_xref(name:\"MSKB\", value:\"3118303\");\n script_xref(name:\"MSKB\", value:\"3118309\");\n script_xref(name:\"MSKB\", value:\"3118313\");\n script_xref(name:\"MSKB\", value:\"3118316\");\n script_xref(name:\"IAVA\", value:\"2016-A-0243\");\n\n script_name(english:\"MS16-107: Security Update for Microsoft Office (3185852)\");\n script_summary(english:\"Checks the file versions.\");\n\n script_set_attribute(attribute:\"synopsis\",value:\n\"An application installed on the remote host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\",value:\n\"The Microsoft Office application installed on the remote Windows host\nis missing a security update. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An information disclosure vulnerability exists in the\n the Click-to-Run (C2R) components due to improper\n handling of objects in memory. An authenticated, remote\n attacker can exploit this, via a specially crafted\n application, to obtain sensitive information and thereby\n bypass the Address Space Layout Randomization (ASLR)\n security feature. (CVE-2016-0137)\n\n - An information disclosure vulnerability exists due to\n Visual Basic macros improperly exporting a user's private\n key from the certificate store while saving a document.\n An unauthenticated, remote attacker can exploit this,\n by convincing a user to provide the saved document, to\n gain access to the user's private key. (CVE-2016-0141)\n\n - Multiple remote code execution vulnerabilities exist in\n Microsoft Office software due to improper handling of\n objects in memory. A remote attacker can exploit these,\n by convincing a user to open a specially crafted Office\n file, to execute arbitrary code in the context of the\n current user. (CVE-2016-3357, CVE-2016-3358,\n CVE-2016-3359, CVE-2016-3360, CVE-2016-3361,\n CVE-2016-3362, CVE-2016-3363, CVE-2016-3364,\n CVE-2016-3365, CVE-2016-3381)\n\n - A spoofing vulnerability exists in Microsoft Outlook due\n to a failure to conform to RFC2046 and properly identify\n the end of a MIME attachment. An unauthenticated, remote\n attacker can exploit this, by convincing a user to open\n a specially crafted email attachment, to cause antivirus\n or antispam security features to fail. (CVE-2016-3366)\");\n script_set_attribute(attribute:\"see_also\",value:\"https://technet.microsoft.com/library/security/MS16-107\");\n script_set_attribute(attribute:\"solution\",value:\n\"Microsoft has released a set of patches for Microsoft Office 2007,\n2010, 2013, 2013 RT, and 2016; Microsoft Excel 2007, 2010, 2013, 2013\nRT, and 2016; Microsoft PowerPoint 2007, 2010, 2013, and 2013 RT;\nMicrosoft Outlook 2007, 2010, 2013, 2013 RT, and 2016; Microsoft Visio\n2016; Office Compatibility Pack; Excel Viewer; PowerPoint Viewer; Word\nViewer; Microsoft SharePoint Server 2007, 2010, and 2013; Office Web\nApps 2010 and 2013; and Office Online Server.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\",value:\"2016/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\",value:\"2016/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/14\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visio\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel_viewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word_viewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:powerpoint_viewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:powerpoint\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:outlook\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_web_apps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_online_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\n \"office_installed.nasl\",\n \"microsoft_owa_installed.nbin\",\n \"microsoft_sharepoint_installed.nbin\",\n \"smb_hotfixes.nasl\",\n \"ms_bulletin_checks_possible.nasl\"\n );\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nglobal_var bulletin, vuln;\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS16-107';\nkbs = make_list(\n '2553432', # Office 2010 SP2 #\n '2597974', # PowerPoint Compatibility Pack SP3 #\n '3054862', # SharePoint Server 2013 SP1 #\n '3054969', # PowerPoint Viewer #\n '3114744', # PowerPoint 2007 SP3 #\n '3115112', # SharePoint Excel Services 2007 SP3 #\n '3115119', # SharePoint Excel Services 2010 SP2\n '3115169', # SharePoint Excel Automation Services 2013 SP1 #\n '3115443', # SharePoint Word Automation Services 2013 SP1 #\n '3115459', # Excel 2007 SP3 #\n '3115462', # Office Compatability Pack SP3 #\n '3115463', # Excel Viewer #\n '3115466', # SharePoint Word Automation Services 2010 SP2 #\n '3115467', # PowerPoint 2010 SP2 #\n '3115472', # Office Web Apps 2010 SP2 #\n '3115487', # PowerPoint 2013 SP1 #\n '3118268', # Office 2013 SP1 #\n '3118270', # Office Web Apps 2013 SP1 #\n '3118280', # Outlook 2013 SP1 #\n '3118284', # Excel 2013 SP1 #\n '3118290', # Excel 2016 #\n '3118292', # Office 2016 #\n '3118293', # Outlook 2016 #\n '3118297', # Word Viewer #\n '3118299', # Office Online Server #\n '3118300', # Office 2007 SP3 #\n '3118303', # Outlook 2007 SP3 #\n '3118309', # Office 2010 SP2 #\n '3118313', # Outlook 2010 SP3 #\n '3118316' # Excel 2010 SP2 #\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\", exit_code:1);\n\n# Get path information for Windows.\nwindir = hotfix_get_systemroot();\nif (isnull(windir)) exit(1, \"Failed to determine the location of %windir%.\");\n\nregistry_init();\n\nglobal_var office_online_server_path;\n\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\noffice_online_server_path = get_registry_value(\n handle : hklm,\n item : \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Office16.WacServer\\InstallLocation\"\n);\n\nRegCloseKey(handle:hklm);\nclose_registry(close:FALSE);\n\nvuln = FALSE;\n\nfunction perform_office_online_server_checks()\n{\n local_var path;\n if(office_online_server_path)\n {\n path = hotfix_append_path(path:office_online_server_path, value:\"WordConversionService\\bin\\Converter\");\n if (hotfix_check_fversion(file:\"sword.dll\", version:\"16.0.7323.2225\", min_version:\"16.0.6000.0\", path:path, bulletin:bulletin, kb:\"3118299\", product:\"Office Online Server\") == HCF_OLDER)\n vuln = TRUE;\n }\n}\n\n######################################################################\n# Office Web Apps\n######################################################################\nfunction perform_owa_checks()\n{\n local_var owa_installs, owa_install;\n local_var owa_2010_path, owa_2010_sp;\n local_var owa_2013_path, owa_2013_sp;\n local_var path;\n\n # Get installs of Office Web Apps\n owa_installs = get_installs(app_name:\"Microsoft Office Web Apps\");\n if (!empty_or_null(owa_installs))\n {\n foreach owa_install (owa_installs[1])\n {\n if (owa_install[\"Product\"] == \"2010\")\n {\n owa_2010_path = owa_install[\"path\"];\n owa_2010_sp = owa_install[\"SP\"];\n }\n else if (owa_install['Product'] == \"2013\")\n {\n owa_2013_path = owa_install['path'];\n owa_2013_sp = owa_install['SP'];\n }\n }\n }\n\n ######################################################################\n # Office Web Apps 2010 SP2\n ######################################################################\n if (owa_2010_path && (!isnull(owa_2010_sp) && owa_2010_sp == \"2\"))\n {\n path = hotfix_append_path(path:owa_2010_path, value:\"14.0\\WebServices\\ConversionService\\Bin\\Converter\");\n if (hotfix_check_fversion(file:\"msoserver.dll\", version:\"14.0.7173.5000\", min_version:\"14.0.7015.1000\", path:path, bulletin:bulletin, kb:\"3115472\", product:\"Office Web Apps 2010\") == HCF_OLDER)\n vuln = TRUE;\n }\n\n ######################################################################\n # Office Web Apps 2013 SP1\n ######################################################################\n if (owa_2013_path && (!isnull(owa_2013_sp) && owa_2013_sp == \"1\"))\n {\n path = hotfix_append_path(path:owa_2013_path, value:\"WordConversionService\\bin\\Converter\");\n if (hotfix_check_fversion(file:\"sword.dll\", version:\"15.0.4859.1000\", min_version:\"15.0.4571.1500\", path:path, bulletin:bulletin, kb:\"3118270\", product:\"Office Web Apps 2013\") == HCF_OLDER)\n vuln = TRUE;\n }\n}\n\n######################################################################\n# SharePoint\n######################################################################\nfunction perform_sharepoint_checks()\n{\n local_var sps_2007_path, sps_2007_sp, sps_2007_edition;\n local_var sps_2010_path, sps_2010_sp, sps_2010_edition;\n local_var sps_2013_path, sps_2013_sp, sps_2013_edition;\n local_var installs, install, path, commonfiles;\n\n installs = get_installs(app_name:\"Microsoft SharePoint Server\");\n\n foreach install (installs[1])\n {\n if (install['Product'] == \"2007\")\n {\n sps_2007_path = install['path'];\n sps_2007_sp = install['SP'];\n sps_2007_edition = install['Edition'];\n }\n else if (install[\"Product\"] == \"2010\")\n {\n sps_2010_path = install['path'];\n sps_2010_sp = install['SP'];\n sps_2010_edition = install['Edition'];\n }\n else if (install['Product'] == \"2013\")\n {\n sps_2013_path = install['path'];\n sps_2013_sp = install['SP'];\n sps_2013_edition = install['Edition'];\n }\n }\n\n commonfiles = hotfix_get_commonfilesdir();\n if (!commonfiles) commonfiles = hotfix_get_commonfilesdirx86();\n\n ######################################################################\n # SharePoint Server 2013 SP1 - Word Automation Services\n ######################################################################\n if (sps_2013_path && sps_2013_sp == \"1\" && sps_2013_edition == \"Server\")\n {\n path = hotfix_append_path(path:sps_2013_path, value:\"Bin\");\n if (hotfix_check_fversion(file:\"xlsrv.dll\", version:\"15.0.4859.1000\", min_version:\"15.0.0.0\", path:path, bulletin:bulletin, kb:\"3115169\", product:\"Office SharePoint Server 2013 Excel Services\") == HCF_OLDER)\n vuln = TRUE;\n\n path = hotfix_append_path(path:sps_2013_path, value:\"WebServices\\ConversionServices\");\n if (hotfix_check_fversion(file:\"sword.dll\", version:\"15.0.4859.1000\", min_version:\"15.0.0.0\", path:path, bulletin:bulletin, kb:\"3115443\", product:\"Office SharePoint Server 2013 Word Automation Services\") == HCF_OLDER)\n vuln = TRUE;\n\n if (hotfix_check_fversion(file:\"ppserver.dll\", version:\"15.0.4859.1000\", path:path, bulletin:bulletin, kb:\"3054862\", product:\"Office SharePoint Server 2013\") == HCF_OLDER)\n vuln = TRUE;\n }\n\n ######################################################################\n # SharePoint Server 2007 SP3 - Excel Services\n ######################################################################\n if (sps_2007_path && sps_2007_sp == \"3\" && sps_2007_edition == \"Server\")\n {\n path = hotfix_append_path(path:sps_2007_path, value:\"Bin\");\n if (hotfix_check_fversion(file:\"xlsrv.dll\", version:\"12.0.6755.5000\", path:path, bulletin:bulletin, kb:\"3115112\", product:\"Office SharePoint Server 2007 Excel Services\") == HCF_OLDER)\n vuln = TRUE;\n }\n\n ######################################################################\n # SharePoint Server 2010 SP2 - Word Automation Services\n ######################################################################\n if (sps_2010_path && sps_2010_sp == \"2\" && sps_2010_edition == \"Server\")\n {\n path = hotfix_append_path(path:sps_2010_path, value:\"WebServices\\WordServer\\Core\");\n if (hotfix_check_fversion(file:\"msoserver.dll\", version:\"14.0.7173.5000\", path:path, bulletin:bulletin, kb:\"3115466\", product:\"Office SharePoint Server 2010 Word Automation Services\") == HCF_OLDER)\n vuln = TRUE;\n\n path = hotfix_append_path(path:sps_2010_path, value:\"Bin\");\n if (hotfix_check_fversion(file:\"xlsrv.dll\", version:\"14.0.7173.5000\", path:path, bulletin:bulletin, kb:\"3115119\", product:\"Office SharePoint Server 2010 Excel Services\") == HCF_OLDER)\n vuln = TRUE;\n }\n}\n \nfunction perform_office_checks()\n{\n local_var office_vers, office_sp, common_path, path, prod, kb;\n office_vers = hotfix_check_office_version();\n\n ######################################################################\n # Office 2007 Checks\n ######################################################################\n if (office_vers[\"12.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2007/SP\");\n if (!isnull(office_sp) && office_sp == 3)\n {\n prod = \"Microsoft Office 2007 SP3\";\n common_path = hotfix_get_officecommonfilesdir(officever:\"12.0\");\n\n path = hotfix_append_path(path:common_path, value:\"Microsoft Shared\\Office12\");\n if (hotfix_check_fversion(file:\"mso.dll\", version:\"12.0.6755.5000\" , path:path, bulletin:bulletin, kb:\"3118300\", product:prod) == HCF_OLDER)\n vuln = TRUE;\n\n path = hotfix_append_path(path:hotfix_get_officeprogramfilesdir(officever:\"12.0\"), value:\"Microsoft Office\\Office12\");\n if (hotfix_check_fversion(file:\"outlmime.dll\", version: \"12.0.6755.5000\" , path:path, bulletin:bulletin, kb:\"3118303\", product:\"Outlook 2007 SP3\") == HCF_OLDER)\n vuln = TRUE;\n\n if (hotfix_check_fversion(file:\"ppcore.dll\", version: \"12.0.6755.5000\" , path:path, bulletin:bulletin, kb:\"3114744\", product:\"PowerPoint 2007 SP3\") == HCF_OLDER)\n vuln = TRUE;\n }\n }\n\n ######################################################################\n # Office 2010 Checks\n ######################################################################\n if (office_vers[\"14.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2010/SP\");\n if (!isnull(office_sp) && office_sp == 2)\n {\n prod = \"Microsoft Office 2010 SP2\";\n common_path = hotfix_get_officecommonfilesdir(officever:\"14.0\");\n\n path = hotfix_append_path(path:common_path, value:\"Microsoft Shared\\Office14\");\n if (hotfix_check_fversion(file:\"mso.dll\", version:\"14.0.7173.5000\", path:path, bulletin:bulletin, kb:\"3118309\", product:prod) == HCF_OLDER)\n vuln = TRUE;\n\n path = hotfix_append_path(path:hotfix_get_officeprogramfilesdir(officever:\"14.0\"), value:\"Microsoft Office\\Office14\");\n if (hotfix_check_fversion(file:\"offowc.dll\", version:\"14.0.7173.5000\", path:path, bulletin:bulletin, kb:\"2553432\", product:prod) == HCF_OLDER)\n vuln = TRUE;\n\n if (hotfix_check_fversion(file:\"outlmime.dll\", version: \"14.0.7173.5000\" , path:path, bulletin:bulletin, kb:\"3118313\", product:\"Outlook 2010 SP2\") == HCF_OLDER)\n vuln = TRUE;\n\n if (hotfix_check_fversion(file:\"ppcore.dll\", version: \"14.0.7173.5000\" , path:path, bulletin:bulletin, kb:\"3115467\", product:\"PowerPoint 2010 SP2\") == HCF_OLDER)\n vuln = TRUE;\n\n if ( \"64\" >< get_kb_item(\"SMB/Office/14.0/Bitness\"))\n {\n path = hotfix_append_path(path:hotfix_get_commonfilesdirx86(), value:\"Microsoft Shared\\Office14\");\n if (hotfix_check_fversion(file:\"mso.dll\", version:\"14.0.7173.5000\", path:path, bulletin:bulletin, kb:\"3118309\", product:prod) == HCF_OLDER)\n vuln = TRUE;\n }\n }\n }\n\n ######################################################################\n # Office 2013 Checks\n ######################################################################\n if (office_vers[\"15.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2013/SP\");\n if (!isnull(office_sp) && int(office_sp) == 1)\n {\n prod = \"Microsoft Office 2013 SP1\";\n common_path = hotfix_get_officecommonfilesdir(officever:\"15.0\");\n\n path = hotfix_append_path(path:common_path, value:\"Microsoft Shared\\Office15\");\n if (hotfix_check_fversion(file:\"mso.dll\", version: \"15.0.4859.1000\", path:path, bulletin:bulletin, kb:\"3118268\", product:prod) == HCF_OLDER)\n vuln = TRUE;\n\n if ( \"64\" >< get_kb_item(\"SMB/Office/15.0/Bitness\"))\n {\n path = hotfix_append_path(path:hotfix_get_commonfilesdirx86(), value:\"Microsoft Shared\\Office15\");\n if (hotfix_check_fversion(file:\"mso.dll\", version:\"15.0.4859.1000\", path:path, bulletin:bulletin, kb:\"3118268\", product:prod) == HCF_OLDER)\n vuln = TRUE;\n }\n }\n }\n\n ######################################################################\n # Office 2016 Checks\n ######################################################################\n if (office_vers[\"16.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2016/SP\");\n if (!isnull(office_sp) && int(office_sp) == 0)\n {\n prod = \"Microsoft Office 2016\";\n path = hotfix_append_path(path:hotfix_get_officecommonfilesdir(officever:\"16.0\"), value:\"Microsoft Shared\\Office16\");\n if (\n hotfix_check_fversion(file:\"mso.dll\", version:\"16.0.4432.1000\", channel:\"MSI\", channel_product:\"Office\", path:path, bulletin:bulletin, kb:\"3118292\", product:prod) == HCF_OLDER ||\n hotfix_check_fversion(file:\"mso.dll\", version:\"16.0.6701.1041\", channel:\"Deferred\", channel_version:\"1602\", channel_product:\"Office\", path:path, bulletin:bulletin, kb:\"3118292\", product:prod) == HCF_OLDER #||\n##TODO\n # hotfix_check_fversion(file:\"mso.dll\", version:\"16.0.7127.1019\", channel:\"Current\", channel_product:\"Office\", path:path, bulletin:bulletin, kb:\"3118292\", product:prod) == HCF_OLDER\n )\n vuln = TRUE;\n\n if ( \"64\" >< get_kb_item(\"SMB/Office/16.0/Bitness\"))\n {\n path = hotfix_append_path(path:hotfix_get_officeprogramfilesdir(officever:\"16.0\"), value:\"Microsoft Office\\root\\VFS\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE16\");\n if (\n hotfix_check_fversion(file:\"mso.dll\", version:\"16.0.4432.1000\", channel:\"MSI\", channel_product:\"Office\", path:path, bulletin:bulletin, kb:\"3118292\", product:prod) == HCF_OLDER ||\n hotfix_check_fversion(file:\"mso.dll\", version:\"16.0.6701.1041\", channel:\"Deferred\", channel_version:\"1602\", channel_product:\"Office\", path:path, bulletin:bulletin, kb:\"3118292\", product:prod) == HCF_OLDER #||\n##TODO\n # hotfix_check_fversion(file:\"mso.dll\", version:\"16.0.7127.1019\", channel:\"Current\", channel_product:\"Office\", path:path, bulletin:bulletin, kb:\"3118292\", product:prod) == HCF_OLDER\n )\n vuln = TRUE;\n }\n }\n }\n}\n\nfunction perform_office_product_checks()\n{\n local_var excel_checks, word_checks, onenote_checks, outlook_checks, ppt_vwr_checks, excel_compat_checks,excel_vwr_checks,powerpoint_checks;\n\n local_var installs, install, path; # For DLL checks\n\n ######################################################################\n # Excel Checks\n ######################################################################\n excel_checks = make_array(\n \"12.0\", make_array(\"sp\", 3, \"version\", \"12.0.6755.5000\", \"kb\", \"3115459\"),\n \"14.0\", make_array(\"sp\", 2, \"version\", \"14.0.7173.5000\", \"kb\", \"3118316\"),\n \"15.0\", make_array(\"sp\", 1, \"version\", \"15.0.4859.1000\", \"kb\", \"3118284\"),\n \"16.0\", make_nested_list(\n make_array(\"sp\", 0, \"version\", \"16.0.4432.1003\", \"channel\", \"MSI\", \"kb\", \"3118290\"),\n make_array(\"sp\", 0, \"version\", \"16.0.6001.1090\", \"channel\", \"Deferred\", \"kb\", \"3118290\"),\n make_array(\"sp\", 0, \"version\", \"16.0.6741.2071\", \"channel\", \"Deferred\", \"channel_version\", \"1602\", \"kb\", \"3118290\"),\n make_array(\"sp\", 0, \"version\", \"16.0.6965.2084\", \"channel\", \"First Release for Deferred\", \"kb\", \"3118290\"),\n make_array(\"sp\", 0, \"version\", \"16.0.7070.2058\", \"channel\", \"Current\", \"kb\", \"3118290\")\n )\n );\n if (hotfix_check_office_product(product:\"Excel\", checks:excel_checks, bulletin:bulletin))\n vuln = TRUE;\n\n ######################################################################\n # Outlook Checks\n ######################################################################\n outlook_checks = make_array(\n \"15.0\", make_array(\"sp\", 1, \"version\", \"15.0.4859.1000\", \"kb\", \"3118280\"),\n \"16.0\", make_nested_list(\n make_array(\"sp\", 0, \"version\", \"16.0.4432.1001\", \"channel\", \"MSI\", \"kb\", \"3118293\"),\n make_array(\"sp\", 0, \"version\", \"16.0.6001.1090\", \"channel\", \"Deferred\", \"kb\", \"3118290\"),\n make_array(\"sp\", 0, \"version\", \"16.0.6741.2071\", \"channel\", \"Deferred\", \"channel_version\", \"1602\", \"kb\", \"3118290\"),\n make_array(\"sp\", 0, \"version\", \"16.0.6965.2084\", \"channel\", \"First Release for Deferred\", \"kb\", \"3118290\"),\n make_array(\"sp\", 0, \"version\", \"16.0.7070.2058\", \"channel\", \"Current\", \"kb\", \"3118290\")\n )\n );\n if (hotfix_check_office_product(product:\"Outlook\", checks:outlook_checks, bulletin:bulletin))\n vuln = TRUE;\n\n ######################################################################\n # Excel Viewer\n ######################################################################\n excel_vwr_checks = make_array(\n \"12.0\", make_array(\"sp\", 3, \"version\", \"12.0.6755.5000\", \"kb\", \"3115463\")\n );\n if (hotfix_check_office_product(product:\"ExcelViewer\", display_name:\"Excel Viewer\", checks:excel_vwr_checks, bulletin:bulletin))\n vuln = TRUE;\n\n ######################################################################\n # Word Viewer\n ######################################################################\n installs = get_kb_list(\"SMB/Office/WordViewer/*/ProductPath\");\n if (!isnull(installs))\n {\n foreach install (keys(installs))\n {\n path = installs[install];\n path = ereg_replace(pattern:'^(.+)\\\\\\\\[^\\\\\\\\]+\\\\.exe$', replace:\"\\1\\\", string:path, icase:TRUE);\n if(hotfix_check_fversion(path:path, file:\"mso.dll\", version:\"11.0.8434.0\", kb:\"3118297\", bulletin:bulletin, min_version:\"11.0.0.0\", product:\"Microsoft Word Viewer\") == HCF_OLDER)\n vuln = TRUE;\n }\n }\n\n ######################################################################\n # PowerPoint Checks\n ######################################################################\n powerpoint_checks = make_array(\n \"15.0\", make_array(\"sp\", 1, \"version\", \"15.0.4859.1000\", \"kb\", \"3115487\")\n );\n if (hotfix_check_office_product(product:\"PowerPoint\", checks:powerpoint_checks, bulletin:bulletin))\n vuln = TRUE;\n\n ######################################################################\n # PowerPoint Viewer 2010\n ######################################################################\n ppt_vwr_checks = make_array(\n \"14.0\", make_array(\"sp\", 2, \"version\", \"14.0.7173.5000\", \"kb\", \"3054969\")\n );\n if (hotfix_check_office_product(product:\"PowerPointViewer\", display_name:\"PowerPoint Viewer\", checks:ppt_vwr_checks, bulletin:bulletin))\n vuln = TRUE;\n\n ######################################################################\n # Excel Compatibility pack\n ######################################################################\n excel_compat_checks = make_array(\n \"12.0\", make_array(\"version\", \"12.0.6755.5000\", \"kb\", \"3115462\")\n );\n if (hotfix_check_office_product(product:\"ExcelCnv\", display_name:\"Office Compatibility Pack SP3\", checks:excel_compat_checks, bulletin:bulletin))\n vuln = TRUE;\n\n ######################################################################\n # PowerPoint Compatibility pack\n ######################################################################\n installs = get_kb_list(\"SMB/Office/PowerPointCnv/*/ProductPath\");\n if (!isnull(installs))\n foreach install (keys(installs))\n {\n path = installs[install];\n path = ereg_replace(pattern:'^(.+)\\\\\\\\[^\\\\\\\\]+\\\\.exe$', replace:\"\\1\\\", string:path, icase:TRUE);\n if(hotfix_check_fversion(path:path, file:\"ppcnv.dll\", version:\"12.0.6755.5000\", kb:\"2597974\", bulletin:bulletin, min_version:\"12.0.0.0\", product:\"PowerPoint Compatability Pack SP3\") == HCF_OLDER)\n vuln = TRUE;\n }\n}\n\nperform_office_checks();\nperform_office_product_checks();\nperform_office_online_server_checks();\nperform_owa_checks();\nperform_sharepoint_checks();\n\nif (vuln)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:34:51", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-3359", "CVE-2016-3364", "CVE-2016-0141", "CVE-2016-3381", "CVE-2016-3360", "CVE-2016-3363", "CVE-2016-3357", "CVE-2016-0137", "CVE-2016-3361", "CVE-2016-3362", "CVE-2016-3358", "CVE-2016-3365", "CVE-2016-3366"], "description": "<html><body><p>Describes a security update that fixes vulnerabilities in Microsoft Office. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves a vulnerability in Microsoft Office. To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/ms16-107\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS16-107</a>.<span></span><br/></div><h2>More information about this security update</h2><div class=\"kb-moreinformation-section section\">The following articles contain more information about this security update as it relates to individual product versions. These articles may contain known issue information. <br/> <ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/help/3115487\" id=\"kb-link-3\" target=\"_self\">KB3115487 MS16-107: Description of the security update for PowerPoint 2013: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3118268\" id=\"kb-link-4\" target=\"_self\">KB3118268 MS16-107: Description of the security update for Office 2013: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3118280\" id=\"kb-link-5\" target=\"_self\">KB3118280 MS16-107: Description of the security update for Outlook 2013: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3118284\" id=\"kb-link-6\" target=\"_self\">KB3118284 MS16-107: Description of the security update for Excel 2013: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3118290\" id=\"kb-link-7\" target=\"_self\">KB3118290 MS16-107: Description of the security update for Excel 2016: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3118292\" id=\"kb-link-8\" target=\"_self\">KB3118292 MS16-107: Description of the security update for Office 2016: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3118293\" id=\"kb-link-9\" target=\"_self\">KB3118293 MS16-107: Description of the security update for Outlook 2016: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/2553432\" id=\"kb-link-10\" target=\"_self\">KB2553432 MS16-107: Description of the security update for Office 2010: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3054862\" id=\"kb-link-11\" target=\"_self\">KB3054862 MS16-107: Description of the security update for SharePoint Server 2013: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3114744\" id=\"kb-link-12\" target=\"_self\">KB3114744 MS16-107: Description of the security update for PowerPoint 2007: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3115112\" id=\"kb-link-13\" target=\"_self\">KB3115112 MS16-107: Description of the security update for Excel Services on Microsoft SharePoint Server 2007: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3115119\" id=\"kb-link-14\" target=\"_self\">KB3115119 MS16-107: Description of the security update for Excel Services on SharePoint Server 2010: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3115169\" id=\"kb-link-15\" target=\"_self\">KB3115169 MS16-107: Description of the security update for Excel Services on SharePoint Server 2013: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3115443\" id=\"kb-link-16\" target=\"_self\">KB3115443 MS16-107: Description of the security update for Word Automation Services on SharePoint Server 2013: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3115459\" id=\"kb-link-17\" target=\"_self\">KB3115459 MS16-107: Description of the security update for Excel 2007: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3115462\" id=\"kb-link-18\" target=\"_self\">KB3115462 MS16-107: Description of the security update for Microsoft Office Compatibility Pack Service Pack 3: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3115463\" id=\"kb-link-19\" target=\"_self\">KB3115463 MS16-107: Description of the security update for Excel Viewer 2007: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3115466\" id=\"kb-link-20\" target=\"_self\">KB3115466 MS16-107: Description of the security update for Word Automation Services on SharePoint Server 2010: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3115467\" id=\"kb-link-21\" target=\"_self\">KB3115467 MS16-107: Description of the security update for PowerPoint 2010: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3115472\" id=\"kb-link-22\" target=\"_self\">KB3115472 MS16-107: Description of the security update for SharePoint Server 2010 Office Web Apps: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3118270\" id=\"kb-link-23\" target=\"_self\">KB3118270 MS16-107: Description of the security update for Office Web Apps Server 2013: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3118297\" id=\"kb-link-24\" target=\"_self\">KB3118297 MS16-107: Description of the security update for Office 2003: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3118300\" id=\"kb-link-25\" target=\"_self\">KB3118300 MS16-107: Description of the security update for 2007 Microsoft Office Suite: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3118303\" id=\"kb-link-26\" target=\"_self\">KB3118303 MS16-107: Description of the security update for Outlook 2007: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3118309\" id=\"kb-link-27\" target=\"_self\">KB3118309 MS16-107: Description of the security update for Office 2010: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3118313\" id=\"kb-link-28\" target=\"_self\">KB3118313 MS16-107: Description of the security update for Outlook 2010: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3118316\" id=\"kb-link-29\" target=\"_self\">KB3118316 MS16-107: Description of the security update for Excel 2010: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/2597974\" id=\"kb-link-30\" target=\"_self\">KB2597974 MS16-107: Description of the security update for Microsoft Office Compatibility Pack Service Pack 3: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3054969\" id=\"kb-link-31\" target=\"_self\">KB3054969 MS16-107: Description of the security update for PowerPoint Viewer 2010: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3118299\" id=\"kb-link-32\" target=\"_self\">KB3118299 MS16-107: Description of the security update for Microsoft Office Online Server: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3186807\" id=\"kb-link-33\" target=\"_self\">KB3186807 MS16-107: Description of the security update for Office 2016 for Mac: September 13, 2016</a></li><li><a href=\"https://support.microsoft.com/help/3186805\" id=\"kb-link-34\" target=\"_self\">KB3186805 MS16-107: Description of the security update for Office for Mac 2011 14.6.8: September 13, 2016</a></li></ul><h3 class=\"sbody-h3\">Nonsecurity-related fixes and improvements that are included in this security update</h3><ul class=\"sbody-free_list\"><li>Enable the <a href=\"http://dev.office.com/reference/add-ins/office-add-in-requirement-sets\" id=\"kb-link-35\" target=\"_self\">DialogAPI 1.1</a> requirement that is set in Office 2013 applications and the <a href=\"http://dev.office.com/reference/add-ins/office-add-in-requirement-sets\" id=\"kb-link-36\" target=\"_self\">Mailbox 1.4</a> requirement that is set in Outlook 2013.<br/></li><li>This is an update to a feature that was released in Office 2013. VBA macros are no longer automatically blocked when you receive an attachment from a trusted sender or you open a file from your personal OneDrive. See <a href=\"https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection\" id=\"kb-link-37\" target=\"_self\">New feature in Office 2016 can block macros and help prevent infection</a> and <a href=\"https://technet.microsoft.com/en-us/library/ee857085%28v=office.16%29.aspx?f=255&mspperror=-2147217396#blockvba\" id=\"kb-link-38\" target=\"_self\">Plan security settings for VBA macros in Office 2016</a> for more information.<br/></li><li>Translate some terms in multiple languages to make sure that the meaning is accurate.<br/></li><li>Enable the DialogAPI 1.1 in Excel 2013.<br/></li><li>Add some new and improved data connectivity and transformation features. For more information, see <a href=\"https://support.microsoft.com/help/3118296\" id=\"kb-link-39\" target=\"_self\">KB3118296</a>.<br/></li><li>Update translations of phone extension information in Outlook 2016 contacts for Skype for Business clients. Translate string changes for publishing settings in Visio 2016. Correct translations in Outlook rules wizard for Romanian. <br/></li><li>Add OST corruption events.<br/></li><li>Contains fixes for the following nonsecurity issues: <br/> <ul class=\"sbody-free_list\"><li>If slides contain an equation that has an animation applied, PowerPoint 2013 freezes in Slide Show mode.<br/></li><li>After you export a presentation as a PDF file, intra-document hyperlinks will link to the correct slide.<br/></li><li>After you export a presentation as a video, an audio that is set to play across slides stops on the correct slide.<br/></li><li>After you save a workbook that has carriage return and line feed characters as a PDF file in Excel 2013, the characters are displayed as squares in Adobe Reader.<br/><span class=\"text-base\">Note</span> To fix this issue, you also have to install <a href=\"https://support.microsoft.com/help/3085587\" id=\"kb-link-40\" target=\"_self\">April 5, 2016, update for Office 2013 (KB3085587)</a>.<br/></li><li>After you rename a button on a custom ribbon tab in the Korean version of Office 2013 applications, the button name is split but remains on the same line.<br/></li><li>You can't post a blog to a Blogger site in Word 2013. This update deletes the Blogger option from the Blog list because the authentication protocol is changed.<br/></li><li>Assume that you disable the read receipt functionality in Outlook 2013. When you receive email messages that have a requested SMIME receipt, local copies of email messages bloat the Versions folder on the server that is running Exchange Server.<br/></li><li>When you forward IRM email messages, the content is attached as an .msg attachment instead of being included in the message body in the new message.<br/></li><li>A non-default Retention policy that is applied to shared mailboxes in Outlook does not apply to subfolders that are created in those mailboxes by any user who has permissions to that mailbox in Cached Exchange mode. This causes messages to be moved to those subfolders to inherit the parent folder's retention policy and not honor the policy that is set by the user. The messages will be deleted during the wrong period.<br/></li><li>When you move a junkemail message from the Junk E-Mail folder, and you try to download the message again in Outlook 2013, the message is moved to the Junk E-Mailfolder again.<br/></li><li>When you use a meeting request in Outlook 2013, Outlook 2013 crashes randomly.<br/></li><li>The <a href=\"https://msdn.microsoft.com/en-us/library/office/ff841007.aspx?f=255&mspperror=-2147217396\" id=\"kb-link-41\" target=\"_self\">Sheets.Select (False)</a> method doesn't work after you install <a href=\"https://support.microsoft.com/help/3115262\" id=\"kb-link-42\" target=\"_self\">MS16-088: Description of the security update for Excel 2013: July 12, 2016</a>.<br/></li><li>Excel 2013 opens HTML documents (even if they are renamed as .xls files) in protected view instead of silently failing. This issue occurs after you install <a href=\"https://support.microsoft.com/help/3115262\" id=\"kb-link-43\" target=\"_self\">MS16-088: Description of the security update for Excel 2013: July 12, 2016</a>.<br/></li><li>The <a href=\"https://msdn.microsoft.com/en-us/library/office/ff821053.aspx\" id=\"kb-link-44\" target=\"_self\">Workbook.SendMail</a> method doesn't work correctly to send a workbook through an email message in Excel 2016.<br/></li><li>Accessibility applications such as screen readers can't recognize new content in cells in Excel 2016.<br/></li><li>If you have multiple workbooks open concurrently in Excel 2016, and Auto-Recover is triggered on one of the workbooks, some of other workbooks that don't have any data models are corrupted.<br/></li><li>Assume that an Excel worksheet object is embedded in another Office 2016 application, and the worksheet contains an ActiveX control. When you activate and deactivate the Excel object in the Office 2016 application, Excel 2016 crashes and you receive the following error message: <div class=\"indent\"><div class=\"sbody-error\">The server application, source file or item cannot be found, or returned an unknown error. You may need to reinstall the server application.</div></div></li><li>The <a href=\"https://msdn.microsoft.com/en-us/library/office/ff841007.aspx?f=255&mspperror=-2147217396\" id=\"kb-link-45\" target=\"_self\">Sheets.Select (False)</a> method doesn't work after you install <a href=\"https://support.microsoft.com/help/3115272\" id=\"kb-link-46\" target=\"_self\">MS16-088: Description of the security update for Excel 2016: July 12, 2016</a>.<br/></li><li>Excel 2016 opens HTML documents (even if they're renamed as .xls files) in protected view instead of silently failing.<br/></li><li>After you save a workbook that has carriage return and line feed characters as a PDF file in Excel 2016, the characters are displayed as squares in Adobe Reader.<br/></li><li>When you open the contact card to view the organization details for a user in OneDrive for Business, OneDrive for Business crashes.<br/></li><li>You can't post a blog to a Blogger site in Word 2016. This update deletes the Blogger option from the Blog list because the authentication protocol is changed.<br/></li><li>When you use an intended form to open an item in Outlook 2016, forms cache is corrupted and you receive the following error message: <div class=\"indent\"><div class=\"sbody-error\">The custom form cannot be opened. Outlook will use an Outlook form instead. The form required to view this message cannot be displayed. Contact your administrator.</div></div></li><li>Assume that an email message is sent programmatically in Outlook 2016. When you try to send another email message to the same recipients, you don't get any suggestion for the recipient names. This issue occurs because the recipients aren't added to the nickname cache. See <a href=\"https://support.microsoft.com/help/3115483\" id=\"kb-link-47\" target=\"_self\">KB3115483</a> for more information.<br/></li><li>Unexpected and unnecessary authentication notifications are displayed when you start in Outlook 2016.<br/></li><li>After a search result is moved, the item persists in the results list.<br/></li><li>You can't open public folders in Outlook 2016. This issue commonly affects Office 365 subscribers.<br/></li><li>When you search items in the current folder in Outlook 2016, no preview is displayed if the Exchange Server version is earlier than 2016 and the <strong class=\"uiterm\">Message Preview</strong> is set to <strong class=\"uiterm\">3 Lines</strong>.<br/></li><li>When you move a junk email message from the Junk E-Mail folder, and you try to download the message again in Outlook 2013, the message is moved to the Junk E-Mail folder again.<br/></li><li>When you use a meeting request in Outlook 2016, Outlook 2016 crashes randomly.<br/></li><li>When you try to edit an appointment or meeting in Outlook 2016, the <strong class=\"uiterm\">Browse Web Locations</strong> option is unavailable and you can't attach some files.<br/></li><li>Consider the following scenario: You enable cached mode in Outlook 2016. You add two or more Exchange accounts to the same profile. You disable cached mode for those accounts, either manually or by Group Policy. You delete .ost files. In this scenario, Outlook 2016 can't send email messages, and the email messages are just stuck in the Outbox folder. <br/></li><li>A non-default Retention policy that is applied to shared mailboxes in Outlook does not apply to subfolders that are created in those mailboxes by any user who has permissions to that mailbox in Cached Exchange mode. This causes messages to be moved to those subfolders to inherit the parent folder's retention policy and not honor the policy that is set by the user. The messages will be deleted during the wrong period.<br/></li><li>When you select the <strong class=\"uiterm\">Preview file</strong> button for a PDF file of an email message in Outlook 2016, the PDF file cannot be previewed.<br/></li><li>Assume that you disable read receipt functionality in Outlook 2016. When you receive email messages that have a requested SMIME receipt, local copies of email messages bloat the Versions folder on the server that is running Exchange Server.<br/></li><li>Attachments are rearranged, deleted, duplicated, or corrupted.<br/></li><li>You can specify the default editor format for calendar items. For more information, see <a href=\"https://support.microsoft.com/help/3118318\" id=\"kb-link-48\" target=\"_self\">3118318</a>. <br/><span class=\"text-base\">Note</span> This only sets the initial default format to be used when a calendar item is created. You can still select another format. <br/></li></ul></li></ul></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Security update deployment information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><h4 class=\"sbody-h4\">Microsoft Office 2007 (all editions) and Other Software</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><br/><br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Microsoft Office 2007 Service Pack 3:<br/><span class=\"text-base\">mso2007-kb3118300-fullfile-x86-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Excel 2007 Service Pack 3:<br/><span class=\"text-base\">excel2007-kb3115459-fullfile-x86-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Outlook 2007 Service Pack 3<br/><span class=\"text-base\">outlook2007-kb3118303-fullfile-x86-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft PowerPoint 2007 Service Pack 3<br/><span class=\"text-base\">powerpoint2007-kb3114744-fullfile-x86-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Office Compatibility Pack Service Pack 3:<br/><span class=\"text-base\">xlconv2007-kb3115462-fullfile-x86-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Excel Viewer:<br/><span class=\"text-base\">xlview2007-kb3115463-fullfile-x86-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Word Viewer:<br/><span class=\"text-base\">office-kb3115463-fullfile-enu.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/912203\" id=\"kb-link-50\" target=\"_self\">Microsoft Knowledge Base article 912203</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. <br/><br/>To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see <a href=\"https://support.microsoft.com/help/887012\" id=\"kb-link-51\" target=\"_self\">Microsoft Knowledge Base article 887012</a>. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">Use the <span class=\"sbody-userinput\">Add or Remove Programs </span> item in <span class=\"sbody-userinput\"> Control Panel</span>. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3114744\" id=\"kb-link-52\" target=\"_self\">Microsoft Knowledge Base article 3114744</a><br/>See <a href=\"https://support.microsoft.com/help/3115459\" id=\"kb-link-53\" target=\"_self\">Microsoft Knowledge Base article 3115459</a><br/>See <a href=\"https://support.microsoft.com/help/3115462\" id=\"kb-link-54\" target=\"_self\">Microsoft Knowledge Base article 3115462</a><br/>See <a href=\"https://support.microsoft.com/help/3115463\" id=\"kb-link-55\" target=\"_self\">Microsoft Knowledge Base article 3115463</a><br/>See <a href=\"https://support.microsoft.com/help/3118300\" id=\"kb-link-56\" target=\"_self\">Microsoft Knowledge Base article 3118300</a><br/>See <a href=\"https://support.microsoft.com/help/3118303\" id=\"kb-link-57\" target=\"_self\">Microsoft Knowledge Base article 3118303</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">Not applicable</td></tr></table></div><h4 class=\"sbody-h4\">Microsoft Office 2010 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><br/><br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Microsoft Office 2010 Service Pack 2 (32-bit editions):<span class=\"text-base\"><br/><span class=\"text-base\">mso2010-kb3118309-fullfile-x86-glb.exe</span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Office 2010 Service Pack 2 (64-bit editions): <br/><span class=\"text-base\">mso2010-kb3118309-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Office 2010 Service Pack 2 (32-bit editions):<span class=\"text-base\"><br/><span class=\"text-base\">offowc2010-kb2553432-fullfile-x86-glb.exe</span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Office 2010 Service Pack 2 (64-bit editions): <br/><span class=\"text-base\">offowc2010-kb2553432-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Excel 2010 Service Pack 2 (32-bit editions):<span class=\"text-base\"><br/><span class=\"text-base\">excel2010-kb3118316-fullfile-x86-glb.exe</span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Excel 2010 Service Pack 2 (64-bit editions) <br/><span class=\"text-base\">excel2010-kb3118316-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Outlook 2010 Service Pack 2 (32-bit editions):<span class=\"text-base\"><br/><span class=\"text-base\">outlook2010-kb3118316-fullfile-x86-glb.exe</span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Outlook 2010 Service Pack 2 (64-bit editions) <br/><span class=\"text-base\">outlook2010-kb3118313-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/912203\" id=\"kb-link-58\" target=\"_self\">Microsoft Knowledge Base article 912203</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement </span></td><td class=\"sbody-td\">In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. <br/><br/>To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see <a href=\"https://support.microsoft.com/help/887012\" id=\"kb-link-59\" target=\"_self\">Microsoft Knowledge Base article 887012</a>. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">Use the <span class=\"sbody-userinput\">Add or Remove Programs </span> item in <span class=\"sbody-userinput\"> Control Panel</span>. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/2553432\" id=\"kb-link-60\" target=\"_self\">Microsoft Knowledge Base article 2553432</a><br/>See <a href=\"https://support.microsoft.com/help/3118309\" id=\"kb-link-61\" target=\"_self\">Microsoft Knowledge Base article 3118309</a><br/>See <a href=\"https://support.microsoft.com/help/3118313\" id=\"kb-link-62\" target=\"_self\">Microsoft Knowledge Base article 3118313</a><br/>See <a href=\"https://support.microsoft.com/help/3118316\" id=\"kb-link-63\" target=\"_self\">Microsoft Knowledge Base article 3118316</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">Not applicable</td></tr></table></div><h4 class=\"sbody-h4\">Microsoft Office 2013 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><br/><br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Microsoft Office 2013 Service Pack 1 (32-bit editions)<br/><span class=\"text-base\">mso2013-kb3118268-fullfile-x86-glb.exe</span><span class=\"text-base\"><br/><span class=\"text-base\">excel2013-kb3118284-fullfile-x86-glb.exe</span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Office 2013 Service Pack 1 (64-bit editions)<br/><span class=\"text-base\">mso2013-kb3118268-fullfile-x64-glb.exe</span><span class=\"text-base\"><br/><span class=\"text-base\">excel2013-kb3118284-fullfile-x64-glb.exe</span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Outlook 2013 Service Pack 1 (32-bit editions)<br/><span class=\"text-base\">outlook2013-kb3118280-fullfile-x86-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Outlook 2013 Service Pack 1 (64-bit editions)<br/><span class=\"text-base\">outlook2013-kb3118280-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft PowerPoint 2013 Service Pack 1 (32-bit editions)<br/><span class=\"text-base\">powerpoint2013-kb3115487-fullfile-x86-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft PowerPoint 2013 Service Pack 1 (64-bit editions)<br/><span class=\"text-base\">powerpoint2013-kb3115487-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Word 2013 Service Pack 1 (32-bit editions):<span class=\"text-base\"><br/><span class=\"text-base\">word2013-kb3115449-fullfile-x86-glb.exe</span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Word 2013 Service Pack 1 (64-bit editions) <br/><span class=\"text-base\">word2013-kb3115449-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/912203\" id=\"kb-link-64\" target=\"_self\">Microsoft Knowledge Base article 912203</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. <br/><br/>To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see <a href=\"https://support.microsoft.com/help/887012\" id=\"kb-link-65\" target=\"_self\">Microsoft Knowledge Base article 887012</a>. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">Use the <span class=\"sbody-userinput\">Add or Remove Programs </span> item in <span class=\"sbody-userinput\"> Control Panel</span>. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3115256\" id=\"kb-link-66\" target=\"_self\">Microsoft Knowledge Base article 3115256</a><br/>See <a href=\"https://support.microsoft.com/help/3115427\" id=\"kb-link-67\" target=\"_self\">Microsoft Knowledge Base article 3115427</a><br/>See <a href=\"https://support.microsoft.com/help/3115449\" id=\"kb-link-68\" target=\"_self\">Microsoft Knowledge Base article 3115449</a><br/>See <a href=\"https://support.microsoft.com/help/3118268\" id=\"kb-link-69\" target=\"_self\">Microsoft Knowledge Base article 3118268</a><br/>See <a href=\"https://support.microsoft.com/help/3118280\" id=\"kb-link-70\" target=\"_self\">Microsoft Knowledge Base article 3118280</a><br/>See <a href=\"https://support.microsoft.com/help/3118284\" id=\"kb-link-71\" target=\"_self\">Microsoft Knowledge Base article 3118284</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">Not applicable</td></tr></table></div><h4 class=\"sbody-h4\"> Microsoft Office 2013 RT (all editions)</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Deployment</span></td><td class=\"sbody-td\">The 3115256, 3115427, 3115449, 3118268, and 3118280 updates for Microsoft Office 2013 RT and its components are available via <a href=\"http://go.microsoft.com/fwlink/?linkid=21130\" id=\"kb-link-72\" target=\"_self\">Windows Update</a>. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. <br/><br/>To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see <a href=\"https://support.microsoft.com/help/887012\" id=\"kb-link-73\" target=\"_self\">Microsoft Knowledge Base article 887012</a>. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3115256\" id=\"kb-link-74\" target=\"_self\">Microsoft Knowledge Base article 3115256</a><br/>See <a href=\"https://support.microsoft.com/help/3115427\" id=\"kb-link-75\" target=\"_self\">Microsoft Knowledge Base article 3115427</a><br/>See <a href=\"https://support.microsoft.com/help/3115449\" id=\"kb-link-76\" target=\"_self\">Microsoft Knowledge Base article 3115449</a><br/>See <a href=\"https://support.microsoft.com/help/3118268\" id=\"kb-link-77\" target=\"_self\">Microsoft Knowledge Base article 3118268</a><br/>See <a href=\"https://support.microsoft.com/help/3118280\" id=\"kb-link-78\" target=\"_self\">Microsoft Knowledge Base article 3118280</a></td></tr></table></div><h4 class=\"sbody-h4\">Microsoft Office 2016 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><br/><br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Microsoft Office 2016 (32-bit edition)<br/><span class=\"text-base\">mso2016-kb3118292-fullfile-x86-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Office 2016 (64-bit edition)<br/><span class=\"text-base\">mso2016-kb3118292-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Excel 2016 (32-bit edition)<br/><span class=\"text-base\">excel2016-kb3118290-fullfile-x86-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Excel 2016 (64-bit edition)<br/><span class=\"text-base\">excel2016-kb3118290-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Outlook 2016 (32-bit edition)<br/><span class=\"text-base\">outlook2016-kb3118293-fullfile-x86-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Outlook 2016 (64-bit edition)<br/><span class=\"text-base\">outlook2016-kb3118293-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/912203\" id=\"kb-link-79\" target=\"_self\">Microsoft Knowledge Base article 912203</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. <br/><br/>To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see <a href=\"https://support.microsoft.com/help/887012\" id=\"kb-link-80\" target=\"_self\">Microsoft Knowledge Base article 887012</a>. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">Use the <span class=\"sbody-userinput\">Add or Remove Programs </span> item in <span class=\"sbody-userinput\"> Control Panel</span>. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3118292\" id=\"kb-link-81\" target=\"_self\">Microsoft Knowledge Base article 3118292</a><br/>See <a href=\"https://support.microsoft.com/help/3118290\" id=\"kb-link-82\" target=\"_self\">Microsoft Knowledge Base article 3118290</a><br/>See <a href=\"https://support.microsoft.com/help/3118293\" id=\"kb-link-83\" target=\"_self\">Microsoft Knowledge Base article 3118293</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">Not applicable</td></tr></table></div><h4 class=\"sbody-h4\">Office for Mac 2011</h4><span class=\"text-base\">Prerequisites</span><ul class=\"sbody-free_list\"><li>Mac OS X version 10.5.8 or later version on an Intel processor</li><li>Mac OS X user accounts must have administrator privileges to install this security update</li></ul><span class=\"text-base\">Installing the Update</span><br/><br/>Download and install the appropriate language version of the Microsoft Office for Mac 2011 14.6.8 Update from the <a href=\"https://www.microsoft.com/download/details.aspx?familyid=6c1741ba-696f-4fd6-9fe3-aca2b2ecc64e\" id=\"kb-link-84\" target=\"_self\">Microsoft Download Center</a>.<br/><ol class=\"sbody-num_list\"><li>Quit any applications that are running, including virus-protection applications and all Microsoft Office applications as they could interfere with the installation. </li><li>Open the Microsoft Office for Mac 2011 14.6.8. Update volume on your desktop. This step might have been performed for you. </li><li>To start the update process, open\u00a0the Microsoft Office for Mac 2011 14.6.8. Update volume window, double-click the Microsoft Office for Mac 2011. Update application, and then follow the instructions on the screen.\u00a0</li><li>When the installation finishes successfully, you can remove the update installer from your hard disk. To verify that the installation finished successfully, see <span class=\"text-base\">Verifying Update Installation</span>. To remove the update installer, first drag the Microsoft Office for Mac 2011 14.6.8. Update volume to the Trash, and then drag the file that you downloaded to the Trash. </li></ol><span class=\"text-base\">Verifying Update Installation</span><br/><br/>To verify that a security update is installed on an affected system, follow these steps:<br/><ol class=\"sbody-num_list\"><li>In <span class=\"text-base\">Finder</span>, navigate to the <span class=\"text-base\">Application Folder</span> (Microsoft Office 2011). </li><li>Select <span class=\"text-base\">Word</span>, <span class=\"text-base\">Excel</span>, <span class=\"text-base\">PowerPoint</span> or <span class=\"text-base\">Outlook</span> and then launch the application. </li><li>On the application menu, click <strong class=\"sbody-strong\">About Application_Name</strong> (where <strong class=\"sbody-strong\">About Application_Name</strong> is Word, Excel, PowerPoint or Outlook). </li></ol>If the Latest Installed Update Version number is <span class=\"text-base\">14.6.8</span>, the update has been successfully installed. <br/><br/><span class=\"text-base\">Restart Requirement</span><br/><br/>This update does not require you to restart your computer. <br/><br/><span class=\"text-base\">Removing the Update</span><br/><br/>This security update cannot be uninstalled. <br/><br/><span class=\"text-base\">Additional Information</span><br/><br/>If you have technical questions or problems downloading or using this update, see <a href=\"https://www.microsoft.com/mac/support\" id=\"kb-link-85\" target=\"_self\">Microsoft for Mac Support</a> to learn about the support options that are available to you.<br/><br/><h4 class=\"sbody-h4\">Office 2016 for Mac</h4><span class=\"text-base\">Prerequisites</span><ul class=\"sbody-free_list\"><li>Mac OS X Yosemite 10.10 or later version on an Intel processor</li><li>A valid Microsoft Office 365 subscription</li></ul><span class=\"text-base\">Installing the Update</span><br/><br/>Download and install the appropriate language version of the Microsoft Office 2016 for Mac 15.26 Update from the <a href=\"https://www.microsoft.com/download/details.aspx?familyid=6c1741ba-696f-4fd6-9fe3-aca2b2ecc64e\" id=\"kb-link-86\" target=\"_self\">Microsoft Download Center</a>.<br/><ol class=\"sbody-num_list\"><li>Quit any applications that are running, including virus-protection applications and all Microsoft Office applications as they could interfere with the installation. </li><li>Open the Microsoft Office 2016 for Mac 15.26. Update volume on your desktop. This step might have been performed for you. </li><li>To start the update process, in the Microsoft Office 2016 for Mac 15.26. Update volume window, double-click the Microsoft Office 2016 for Mac 15.26. Update application, and follow the instructions on the screen. </li><li>When the installation finishes successfully, you can remove the update installer from your hard disk. To verify that the installation finished successfully, see <span class=\"text-base\">Verifying Update Installation</span>. To remove the update installer, first drag the Microsoft Office 2016 for Mac 15.26. Update volume to the Trash, and then drag the file that you downloaded to the Trash. </li></ol><span class=\"text-base\">Verifying Update Installation</span><br/><br/>To verify that a security update is installed on an affected system, follow these steps:<br/><ol class=\"sbody-num_list\"><li>In <span class=\"text-base\">Finder</span>, navigate to the <span class=\"text-base\">Application Folder</span> (Microsoft Office 2016). </li><li>Select <span class=\"text-base\">Word</span>, <span class=\"text-base\">Excel</span>, <span class=\"text-base\">PowerPoint</span> or <span class=\"text-base\">Outlook</span> and then launch the application. </li><li>On the application menu, click <strong class=\"sbody-strong\">About Application_Name</strong> (where <strong class=\"sbody-strong\">About Application_Name</strong> is Word, Excel, PowerPoint or Outlook). </li></ol>If the Latest Installed Update Version number is <span class=\"text-base\">15.26</span>, the update has been successfully installed. <br/><br/><span class=\"text-base\">Restart Requirement</span><br/><br/>This update does not require you to restart your computer. <br/><br/><span class=\"text-base\">Removing the Update</span><br/><br/>This security update cannot be uninstalled.<br/><br/><h4 class=\"sbody-h4\">Microsoft SharePoint Server 2007 (all editions) </h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><br/><br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Excel Services on Microsoft SharePoint Server 2007 Service Pack 3 (32-bit editions):<br/><span class=\"text-base\">xlsrvapp2007-kb3115112-fullfile-x86-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Excel Services on Microsoft SharePoint Server 2007 Service Pack 3 (64-bit editions):<br/><span class=\"text-base\">xlsrvapp2007-kb3115112-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/912203\" id=\"kb-link-87\" target=\"_self\">Microsoft Knowledge Base article 912203</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">After you install this security update on all SharePoint servers, you must run the PSconfig tool to complete the installation process. <br/><br/>You may have to restart the computer after you install this security update. <br/><br/>In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message is displayed that advises you to restart the computer. <br/><br/>To help reduce the possibility that a restart will be required, stop all affected services and close all applications that may use the affected files before you install this security update. <br/><br/>See <a href=\"https://support.microsoft.com/en-us/help/887012\" id=\"kb-link-88\" target=\"_self\">Why you may be prompted to restart your computer after you install a security update on a Windows-based computer</a> for more information. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">This security update cannot be removed. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File Information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3115112\" id=\"kb-link-89\" target=\"_self\">Microsoft Knowledge Base article 3115112</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">Not applicable</td></tr></table></div><h4 class=\"sbody-h4\">Microsoft SharePoint Server 2010 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><br/><br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported editions of Microsoft SharePoint Server 2010 Service Pack 2:<br/><span class=\"text-base\">ubersrv2010-kb3115473-fullfile-x64-glb.exe</span><br/><span class=\"text-base\">ubersrvprj2010-kb3115470-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Excel Services on supported editions of Microsoft SharePoint Server 2010 Service Pack 2:<br/><span class=\"text-base\">xlsrv2010-kb3115119-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Word Automation Services on supported editions of Microsoft SharePoint Server 2010 Service Pack 2:<br/><span class=\"text-base\">wdsrv2010-kb3115466-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/912203\" id=\"kb-link-90\" target=\"_self\">Microsoft Knowledge Base article 912203</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">After you install this security update on all SharePoint servers, you must run the PSconfig tool to complete the installation process. <br/><br/>You may have to restart the computer after you install this security update. <br/><br/>In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message is displayed that advises you to restart the computer. <br/><br/>To help reduce the possibility that a restart will be required, stop all affected services and close all applications that may use the affected files before you install this security update. <br/><br/>See <a href=\"https://support.microsoft.com/en-us/help/887012\" id=\"kb-link-91\" target=\"_self\">Why you may be prompted to restart your computer after you install a security update on a Windows-based computer</a> for more information. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">This security update cannot be removed. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File Information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3115119\" id=\"kb-link-92\" target=\"_self\">Microsoft Knowledge Base article 3115119</a><br/>See <a href=\"https://support.microsoft.com/help/3115466\" id=\"kb-link-93\" target=\"_self\">Microsoft Knowledge Base article 3115466</a><br/>See <a href=\"https://support.microsoft.com/help/3115473\" id=\"kb-link-94\" target=\"_self\">Microsoft Knowledge Base article 3115473</a><br/>See <a href=\"https://support.microsoft.com/help/3115470\" id=\"kb-link-95\" target=\"_self\">Microsoft Knowledge Base article 3115470</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">Not applicable</td></tr></table></div><h4 class=\"sbody-h4\">Microsoft SharePoint Server 2013 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><br/><br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported editions of Microsoft SharePoint Server 2013 Service Pack 1:<br/><span class=\"text-base\">pptserverloc2013-kb3054862-fullfile-x64-glb.exe</span><span class=\"text-base\"><br/></span>ubersrvprj2013-kb3118274-fullfile-x64-glb.exe<br/>ubersrv2013-kb3118279-fullfile-x64-glb.exe</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Excel Services on supported editions of Microsoft SharePoint Server 2013 Service Pack 1:<br/><span class=\"text-base\">xlsrvloc2013-kb3115169-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Word Automation Services on supported editions of Microsoft SharePoint Server 2013 Service Pack 1:<br/><span class=\"text-base\">wdsrvloc2013-kb3115443-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/912203\" id=\"kb-link-96\" target=\"_self\">Microsoft Knowledge Base article 912203</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">After you install this security update on all SharePoint servers, you must run the PSconfig tool to complete the installation process. <br/><br/>You may have to restart the computer after you install this security update. <br/><br/>In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message is displayed that advises you to restart the computer. <br/><br/>To help reduce the possibility that a restart will be required, stop all affected services and close all applications that may use the affected files before you install this security update. <br/><br/>See <a href=\"https://support.microsoft.com/en-us/help/887012\" id=\"kb-link-97\" target=\"_self\">Why you may be prompted to restart your computer after you install a security update on a Windows-based computer</a> for more information. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">This security update cannot be removed. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File Information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3054862\" id=\"kb-link-98\" target=\"_self\">Microsoft Knowledge Base article 3054862</a><br/>See <a href=\"https://support.microsoft.com/help/3115169\" id=\"kb-link-99\" target=\"_self\">Microsoft Knowledge Base article 3115169</a><br/>See <a href=\"https://support.microsoft.com/help/3115443\" id=\"kb-link-100\" target=\"_self\">Microsoft Knowledge Base article 3115443</a><br/>See <a href=\"https://support.microsoft.com/help/3118274\" id=\"kb-link-101\" target=\"_self\">Microsoft Knowledge Base article 3118274</a><br/>See <a href=\"https://support.microsoft.com/help/3118279\" id=\"kb-link-102\" target=\"_self\">Microsoft Knowledge Base article 3118279</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">Not applicable</td></tr></table></div><h4 class=\"sbody-h4\">Microsoft Office Web Apps 2010 (all versions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><br/><br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Microsoft Office Web Apps 2010 Service Pack 2:<br/><span class=\"text-base\">wac2010-kb3115472-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/912203\" id=\"kb-link-103\" target=\"_self\">Microsoft Knowledge Base article 912203</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. <br/><br/>To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see <a href=\"https://support.microsoft.com/help/887012\" id=\"kb-link-104\" target=\"_self\">Microsoft Knowledge Base article 887012</a>. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">This security update cannot be removed. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File Information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3115472\" id=\"kb-link-105\" target=\"_self\">Microsoft Knowledge Base article 3115472</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">Not applicable</td></tr></table></div><h4 class=\"sbody-h4\">Microsoft Office Web Apps 2013 (all versions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><br/><br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported editions of Microsoft Office Web Apps Server 2013 Service Pack 2:<br/><span class=\"text-base\">wacserver2013-kb</span>3118270<span class=\"text-base\">-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/912203\" id=\"kb-link-106\" target=\"_self\">Microsoft Knowledge Base article 912203</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. <br/><br/>To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see <a href=\"https://support.microsoft.com/help/887012\" id=\"kb-link-107\" target=\"_self\">Microsoft Knowledge Base article 887012</a>. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">This security update cannot be removed. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File Information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3118270\" id=\"kb-link-108\" target=\"_self\">Microsoft Knowledge Base article 3118270</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">Not applicable</td></tr></table></div><h4 class=\"sbody-h4\">Office Online Server</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><br/><br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported editions of Office Online Server:<br/><span class=\"text-base\">wacserver2016-kb3118299-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/912203\" id=\"kb-link-109\" target=\"_self\">Microsoft Knowledge Base article 912203</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. <br/><br/>To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see <a href=\"https://support.microsoft.com/help/887012\" id=\"kb-link-110\" target=\"_self\">Microsoft Knowledge Base article 887012</a>. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">This security update cannot be removed. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File Information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3118299\" id=\"kb-link-111\" target=\"_self\">Microsoft Knowledge Base article 3118299</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">Not applicable</td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to get help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-112\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-113\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-114\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <a href=\"\" id=\"kb-link-115\" target=\"_self\">International Support</a></div><br/></span></div></div></div></div></body></html>", "edition": 4, "modified": "2020-04-16T07:12:48", "id": "KB3185852", "href": "https://support.microsoft.com/en-us/help/3185852/", "published": "2016-09-13T00:00:00", "title": "MS16-107: Security update for Microsoft Office: September 13, 2016", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:55:02", "bulletinFamily": "info", "cvelist": ["CVE-2016-3359", "CVE-2016-3364", "CVE-2016-0141", "CVE-2016-3381", "CVE-2016-3360", "CVE-2016-3363", "CVE-2016-3357", "CVE-2016-0137", "CVE-2016-3361", "CVE-2016-3362", "CVE-2016-3358", "CVE-2016-3365", "CVE-2016-3366"], "description": "### *Detect date*:\n09/13/2016\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Office. Malicious users can exploit these vulnerabilities to bypass security restrictions, spoof user interface, execute arbitrary code or obtain sensitive information.\n\n### *Affected products*:\nMicrosoft Office 2007 Service Pack 3 \nMicrosoft Office 2010 Service Pack 2 \nMicrosoft Office 2013 Service Pack 1 \nMicrosoft Office 2013 RT Service Pack 1 \nMicrosoft Office 2016 \nMicrosoft Office for Mac 2011 \nMicrosoft Office 2016 for Mac \nMicrosoft Office Compatibility Pack Service Pack 3 \nMicrosoft Excel, PowerPoint and Word Viewers \nMicrosoft SharePoint Server 2007 Service Pack 3 \nMicrosoft SharePoint Server 2010 Service Pack 2 \nMicrosoft SharePoint Server 2013 ServicePack 1 \nMicrosoft Office Web Apps 2010 Service Pack 2 \nMicrosoft Office Web Apps 2013 Service Pack 1 \nOffice Online Server\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2016-3362](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3362>) \n[CVE-2016-3363](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3363>) \n[CVE-2016-3364](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3364>) \n[CVE-2016-3365](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3365>) \n[CVE-2016-3366](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3366>) \n[CVE-2016-3358](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3358>) \n[CVE-2016-0137](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0137>) \n[CVE-2016-0141](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0141>) \n[CVE-2016-3357](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3357>) \n[CVE-2016-3381](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3381>) \n[CVE-2016-3359](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3359>) \n[CVE-2016-3360](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3360>) \n[CVE-2016-3361](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3361>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Office](<https://threats.kaspersky.com/en/product/Microsoft-Office/>)\n\n### *CVE-IDS*:\n[CVE-2016-3362](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3362>)9.3Critical \n[CVE-2016-3363](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3363>)9.3Critical \n[CVE-2016-3364](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3364>)9.3Critical \n[CVE-2016-3365](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3365>)9.3Critical \n[CVE-2016-3366](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3366>)4.3Warning \n[CVE-2016-3358](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3358>)9.3Critical \n[CVE-2016-0137](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0137>)4.3Warning \n[CVE-2016-0141](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0141>)4.3Warning \n[CVE-2016-3357](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3357>)9.3Critical \n[CVE-2016-3381](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3381>)9.3Critical \n[CVE-2016-3359](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3359>)9.3Critical \n[CVE-2016-3360](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3360>)9.3Critical \n[CVE-2016-3361](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3361>)9.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3118270](<http://support.microsoft.com/kb/3118270>) \n[3115459](<http://support.microsoft.com/kb/3115459>) \n[3118299](<http://support.microsoft.com/kb/3118299>) \n[3118290](<http://support.microsoft.com/kb/3118290>) \n[3118292](<http://support.microsoft.com/kb/3118292>) \n[3118293](<http://support.microsoft.com/kb/3118293>) \n[3115472](<http://support.microsoft.com/kb/3115472>) \n[3118297](<http://support.microsoft.com/kb/3118297>) \n[3115169](<http://support.microsoft.com/kb/3115169>) \n[3118316](<http://support.microsoft.com/kb/3118316>) \n[3114744](<http://support.microsoft.com/kb/3114744>) \n[3118313](<http://support.microsoft.com/kb/3118313>) \n[3115487](<http://support.microsoft.com/kb/3115487>) \n[2597974](<http://support.microsoft.com/kb/2597974>) \n[3054862](<http://support.microsoft.com/kb/3054862>) \n[2553432](<http://support.microsoft.com/kb/2553432>) \n[3115462](<http://support.microsoft.com/kb/3115462>) \n[3115463](<http://support.microsoft.com/kb/3115463>) \n[3115119](<http://support.microsoft.com/kb/3115119>) \n[3115466](<http://support.microsoft.com/kb/3115466>) \n[3115467](<http://support.microsoft.com/kb/3115467>) \n[3115443](<http://support.microsoft.com/kb/3115443>) \n[3115112](<http://support.microsoft.com/kb/3115112>) \n[3054969](<http://support.microsoft.com/kb/3054969>) \n[3118284](<http://support.microsoft.com/kb/3118284>) \n[3186807](<http://support.microsoft.com/kb/3186807>) \n[3186805](<http://support.microsoft.com/kb/3186805>) \n[3118280](<http://support.microsoft.com/kb/3118280>) \n[3118303](<http://support.microsoft.com/kb/3118303>) \n[3118300](<http://support.microsoft.com/kb/3118300>) \n[3118268](<http://support.microsoft.com/kb/3118268>) \n[3118309](<http://support.microsoft.com/kb/3118309>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 43, "modified": "2020-06-18T00:00:00", "published": "2016-09-13T00:00:00", "id": "KLA10874", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10874", "title": "\r KLA10874Multiple vulnerabilities in Microsoft Office ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
