CVE-2016-3235: Microsoft Office OLE DLL Side Loading Vulnerability
First published: Thu Jun 16 2016(Updated: )
Microsoft Visio 2007 SP3, Visio 2010 SP2, Visio 2013 SP1, Visio 2016, Visio Viewer 2007 SP3, and Visio Viewer 2010 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Microsoft Office OLE DLL Side Loading Vulnerability."
Credit: secure@microsoft.com secure@microsoft.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft Office | ||
| Microsoft Visio Standard | =2007-sp3 | |
| Microsoft Visio Standard | =2010-sp2 | |
| Microsoft Visio Standard | =2013-sp1 | |
| Microsoft Visio Standard | =2016 | |
| Microsoft Visio Viewer 2016 | =2007-sp3 | |
| Microsoft Visio Viewer 2016 | =2010 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/137490/Microsoft-Visio-DLL-Hijacking.html
- http://seclists.org/fulldisclosure/2016/Jun/32
- http://www.securityfocus.com/archive/1/538685/100/0/threaded
- http://www.securitytracker.com/id/1036093
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-070
- https://www.securify.nl/advisory/SFY20150804/microsoft_visio_multiple_dll_side_loading_vulnerabilities.html
- https://nvd.nist.gov/vuln/detail/CVE-2016-3235
Frequently Asked Questions
What is the severity of CVE-2016-3235?
CVE-2016-3235 has a severity rating that can lead to privilege escalation for local users.
How do I fix CVE-2016-3235?
To fix CVE-2016-3235, users should apply the latest security updates provided by Microsoft for the affected Visio versions.
Which software versions are affected by CVE-2016-3235?
CVE-2016-3235 affects Microsoft Visio 2007 SP3, Visio 2010 SP2, Visio 2013 SP1, Visio 2016, and associated Visio Viewer versions.
What type of vulnerability is CVE-2016-3235?
CVE-2016-3235 is classified as a DLL side loading vulnerability that can allow local users to gain elevated privileges.
Can CVE-2016-3235 affect enterprise environments?
Yes, CVE-2016-3235 poses a risk to enterprise environments where affected versions of Microsoft Visio are in use.
- agent/type
- agent/description
- agent/title
- agent/weakness
- agent/author
- agent/severity
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/references
- agent/source
- agent/tags
- agent/softwarecombine
- agent/event
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-cve
- vendor/microsoft
- canonical/microsoft office
- canonical/microsoft visio standard
- version/microsoft visio standard/2007-sp3
- version/microsoft visio standard/2010-sp2
- version/microsoft visio standard/2013-sp1
- version/microsoft visio standard/2016
- canonical/microsoft visio viewer 2016
- version/microsoft visio viewer 2016/2007-sp3
- version/microsoft visio viewer 2016/2010