|CERT-In Vulnerability Note
Remote Code Execution Vulnerability in Microsoft Word and Office Web Apps
Original Issue Date:October 15, 2014
Severity Rating: HIGH
- Microsoft Office 2007 SP3
- Microsoft Office 2010 SP1 and SP2 (32-bit editions)
- Microsoft Office 2010 SP1 and SP2 (64-bit editions)
- Microsoft Word 2010 SP1 and SP2 (32-bit editions)
- Microsoft Word 2010 SP1 and SP2 (64-bit editions)
- Microsoft Office for Mac 2011
- Microsoft Office Compatibility Pack SP3
- Microsoft Office Web Apps 2010 , SP1 and SP2
- Word Automation Services on Microsoft SharePoint Server 2010 SP2 and prior
Remote code execution vulnerability has been reported in the Microsoft Word and Office web Apps which could be exploited by a remote attacker to execute arbitrary code in context of the current logged in user.
The vulnerability exists in Microsoft Word due to improper handling of memory objects while parsing specially crafted Office files. A remote attacker could leverage this issue by enticing the user to view a specially crafted document to trigger memory corruption.
Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code, therefore leading him to take complete control of the affected system which allow him to, install programs, view, change, or delete data or create new accounts in security context of the logged in user.
- Do not open Office files that are received from untrusted sources or that received unexpectedly from trusted sources
Apply appropriate patches as mentioned in Microsoft Security Bulletin
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003