CVE-2014-1809

Name of the Vulnerable Software and Affected Versions Microsoft Office 2007 version SP3 Microsoft Office 2010 versions SP1 through SP2 Microsoft Office 2013 versions Gold through RT SP1

Description The MSCOMCTL library in Microsoft Office does not properly implement Address Space Layout Randomization (ASLR), making it easier for remote attackers to bypass the ASLR protection mechanism. This issue has been exploited in the wild. The security feature bypass by itself does not allow arbitrary code execution, but an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability to run arbitrary code.

Recommendations For Microsoft Office 2007 version SP3, update to a newer version to mitigate the risk. For Microsoft Office 2010 versions SP1 through SP2, update to a newer version to mitigate the risk. For Microsoft Office 2013 versions Gold through RT SP1, update to a newer version to mitigate the risk. As a temporary workaround, consider restricting access to the MSCOMCTL library until a patch is available.