– Multiple remote code execution vulnerabilities exist in Microsoft Office software when the Office software fails to properly handle objects in memory.
– An information disclosure vulnerability exists when Microsoft OneNote improperly discloses its memory contents.
Microsoft has released a security update that addresses the vulnerabilities by correcting how:
– Office handles objects in memory
– Certain functions handle objects in memory
– Windows validates input before loading libraries
The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.
Refer to MS16-099 for more information.
Following are links for downloading patches to fix the vulnerabilities: