CVE-2016-3235 — HIGH (7.8) — White Hats Nepal

Vulnerability Description

Microsoft Visio 2007 SP3, Visio 2010 SP2, Visio 2013 SP1, Visio 2016, Visio Viewer 2007 SP3, and Visio Viewer 2010 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Microsoft Office OLE DLL Side Loading Vulnerability."

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Microsoft	Visio	2007
Microsoft	Visio Viewer	2007

References

http://packetstormsecurity.com/files/137490/Microsoft-Visio-DLL-Hijacking.htmlThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2016/Jun/32Mailing ListThird Party AdvisoryBroken Link
http://www.securityfocus.com/archive/1/538685/100/0/threadedBroken LinkThird Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1036093Broken LinkThird Party AdvisoryVDB Entry
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-07PatchVendor Advisory
https://www.securify.nl/advisory/SFY20150804/microsoft_visio_multiple_dll_side_lExploitThird Party Advisory
http://packetstormsecurity.com/files/137490/Microsoft-Visio-DLL-Hijacking.htmlThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2016/Jun/32Mailing ListThird Party AdvisoryBroken Link
http://www.securityfocus.com/archive/1/538685/100/0/threadedBroken LinkThird Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1036093Broken LinkThird Party AdvisoryVDB Entry
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-07PatchVendor Advisory
https://www.securify.nl/advisory/SFY20150804/microsoft_visio_multiple_dll_side_lExploitThird Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-US Government Resource

FAQ

What is CVE-2016-3235?

CVE-2016-3235 is a vulnerability with a CVSS score of 7.8 (HIGH). Microsoft Visio 2007 SP3, Visio 2010 SP2, Visio 2013 SP1, Visio 2016, Visio Viewer 2007 SP3, and Visio Viewer 2010 mishandle library loading, which allows local users to gain privileges via a crafted ...

How severe is CVE-2016-3235?

CVE-2016-3235 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-3235?

Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Visio, Microsoft Visio Viewer.