CVE-2015-2558

Name of the Vulnerable Software and Affected Versions Microsoft Excel versions 2007 SP3 through 2016 Microsoft Excel for Mac versions 2011 through 2016 Microsoft Excel Viewer (affected versions not specified) Microsoft Office Compatibility Pack version SP3 Microsoft Excel Services on SharePoint Server versions 2007 SP3 through 2013 SP1

Description A use-after-free issue in Microsoft Office software allows remote attackers to execute arbitrary code via a long fileVersion element in an Office document. This occurs when the Office software fails to properly handle objects in memory. An attacker who successfully exploits this issue could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system, then install programs, view, change, or delete data, or create new accounts with full user rights. Exploitation requires that a user open a specially crafted file with an affected version of Microsoft Office software.

Recommendations For Microsoft Excel versions 2007 SP3 through 2016, update to a version that includes the fix for this issue. For Microsoft Excel for Mac versions 2011 through 2016, update to a version that includes the fix for this issue. For Microsoft Excel Viewer, at the moment, there is no information about a newer version that contains a fix for this issue. For Microsoft Office Compatibility Pack version SP3, update to a version that includes the fix for this issue. For Microsoft Excel Services on SharePoint Server versions 2007 SP3 through 2013 SP1, update to a version that includes the fix for this issue. As a temporary workaround, consider avoiding the use of the fileVersion element in Office documents until a patch is available.