SB2015081104 - Unsafe Command Line Parameter Passing Could Allow Information Disclosure 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2015081104

SB2015081104 - Unsafe Command Line Parameter Passing Could Allow Information Disclosure

Published: August 11, 2015

Security Bulletin ID SB2015081104
Severity
High
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 security vulnerability.


1) Input validation error (CVE-ID: CVE-2015-2423)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to input validation error when processing command line parameters in Microsoft Office files at a medium integrity level within Internet Explorer running in Enhanced Protection Mode (EPM). A remote attacker can trick the victim into opening a specially crafted Office file and execute arbitrary commands on the target system with privileges of the current user.

The vulnerability resides within Microsoft Windows, Internet Explorer, and Microsoft Office.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.


Remediation

Install update from vendor's website.

References