ID CVE-2018-0907
Summary Microsoft Excel 2007 SP3, Microsoft Excel 2010 SP2, Microsoft Excel 2013 SP1, Microsoft Excel 2016, Microsoft Office 2016 Click-to-Run and Microsoft Office 2016 for Mac allow a security feature bypass vulnerability due to how macro settings are enforced, aka "Microsoft Office Excel Security Feature Bypass".
References
Vulnerable Configurations
  • Microsoft Office Excel 2007 Service Pack 2
    cpe:2.3:a:microsoft:excel:2007:sp2
  • Microsoft Office Excel 2007 Service Pack 3
    cpe:2.3:a:microsoft:excel:2007:sp3
  • Microsoft Excel 2013 Service Pack 1
    cpe:2.3:a:microsoft:excel:2013:sp1
  • Microsoft Excel 2016
    cpe:2.3:a:microsoft:excel:2016
  • cpe:2.3:a:microsoft:office:2016:-:-:-:-:mac_os_x
    cpe:2.3:a:microsoft:office:2016:-:-:-:-:mac_os_x
  • Microsoft Office 2016 Click-to-Run (C2R)
    cpe:2.3:a:microsoft:office:2016:-:-:-:click-to-run
CVSS
Base: 6.8
Impact:
Exploitability:
CWE CWE-254
CAPEC
msbulletin via4
bulletin_SOURCE_FILE https://portal.msrc.microsoft.com/api/security-guidance/en-us/
cves_url https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0907
impact Security Feature Bypass
knowledgebase_SOURCE_FILE
knowledgebase_id
name Microsoft Office 2016 Click-to-Run (C2R) for 32-bit editions
publishedDate 2018-03-13T07:00:00
severity Important
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOS_MS18_MAR_OFFICE.NASL
    description The Microsoft Office 2016 application installed on the remote macOS or Mac OS X host is missing a security update. It is, therefore, affected by the following vulnerabilities: - A security feature bypass vulnerability exists in Microsoft Office software by not enforcing macro settings on an Excel document. The security feature bypass by itself does not allow arbitrary code execution. To successfully exploit the vulnerability, an attacker would have to embed a control in an Excel worksheet that specifies a macro should be run. To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted file with an affected version of Microsoft Office software. The security update addresses the vulnerability by enforcing macro settings on Excel documents. (CVE-2018-0907) - An information disclosure vulnerability exists when Microsoft Office software reads out of bound memory due to an uninitialized variable, which could disclose the contents of memory. An attacker who successfully exploited the vulnerability could view out of bound memory. (CVE-2018-0919(
    last seen 2019-02-21
    modified 2018-03-16
    plugin id 108282
    published 2018-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108282
    title Security Update for Microsoft Office (March 2018) (macOS)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS18_MAR_EXCEL.NASL
    description The Microsoft Excel Products are missing a security update. It is, therefore, affected by the following vulnerability : - A security feature bypass vulnerability exists in Microsoft Office software by not enforcing macro settings on an Excel document. The security feature bypass by itself does not allow arbitrary code execution. To successfully exploit the vulnerability, an attacker would have to embed a control in an Excel worksheet that specifies a macro should be run. To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted file with an affected version of Microsoft Office software. The security update addresses the vulnerability by enforcing macro settings on Excel documents. (CVE-2018-0907)
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 108293
    published 2018-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108293
    title Security Updates for Microsoft Excel Products (March 2018)
refmap via4
bid 103325
confirm https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0907
sectrack 1040524
Last major update 14-03-2018 - 13:29
Published 14-03-2018 - 13:29
Last modified 06-04-2018 - 13:32
Back to Top