5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.035 Low
EPSS
Percentile
91.5%
Microsoft Office Word
Version: 2007 SP3 and earlier; 2003 SP3 and earlier
Microsoft Office
Version: 2007 SP3 and earlier; 2003 SP3 and earlier
Microsoft Word Viewer
Version: 2007 SP3 and earlier
Link:
<http://microsoft.com/>[](<http://qutim.org/>)
Severity level: Medium
Impact: Internal Network Resources and File System Access, Denial of Service
Access Vector: Remote
CVSS v2:
Base Score: 5.8
Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P)
CVE: CVE-2013-3160
Microsoft Office Word is a commercial word processor designed by Microsoft.
The specialists of the Positive Research center have detected an XML External Entities Resolution vulnerability in Microsoft Office Word and Word Viewer.
The vulnerability is possible due to unsafe parsing of XML external entities. If an attacker makes a victim open a specially crafted XML document, Microsoft Office Word installed on the victimโs system will automatically send the contents of local or remote resource to the attackerโs server provided that the use of the remote XSD was approved by the user. It also makes possible to conduct denial of service attacks.
Use vendorโs advisory:
<http://technet.microsoft.com/en-us/security/bulletin/ms13-072>
26.11.2012 - Vendor gets vulnerability details
10.09.2013 - Vendor releases fixed version and details
09.10.2013 - Public disclosure
The vulnerability was detected by Timur Yunusov, Alexey Osipov and Ilya Karpov, Positive Research Center (Positive Technologies Company)
<http://en.securitylab.ru/lab/PT-2013-73>
Reports on the vulnerabilities previously discovered by Positive Research:
<http://www.ptsecurity.com/research/advisory/>
<http://en.securitylab.ru/lab/>