CVE-2017-8676 Microsoft Lync and Skype for Business Security Update for September 2017

漏洞类别:Office Application

漏洞等级:

漏洞信息

Microsoft released security updates that resolve vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. The following updates were released in September 2017:
CVE-2017-8676: An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system.
CVE-2017-8695: An information disclosure vulnerability exists when Windows Uniscribe improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system.
CVE-2017-8696: A remote code execution vulnerability exists due to the way Windows Uniscribe handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system.

KB Articles associated with this update:
3213568, 4011040, 4011107, 4025865, 4025866, 4025867

漏洞危害

Successful exploitation allows an attacker to execute arbitrary code and bypass security restrictions to gain access to sensitive information.

解决方案

Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

KB4011107

KB4025865

KB4025866

KB4025867

KB3213568

KB4011040

Leave a Reply