CVE-2016-3301

Name of the Vulnerable Software and Affected Versions Microsoft Windows versions prior to Windows 10 1709 Microsoft Office versions prior to Office 2016 Word Viewer version not specified Skype for Business versions prior to 2016 Lync versions prior to 2013 SP1 Live Meeting 2007 Console version not specified

Description The issue exists due to insufficient input validation in the Windows font library. This allows a remote attacker to execute arbitrary code using a specially crafted embedded font. The vulnerability can be exploited to take control of the affected system, enabling the attacker to install programs, view, change, or delete data, or create new accounts with full user rights. Users with fewer user rights on the system may be less impacted than those operating with administrative user rights.

Recommendations For Microsoft Windows versions prior to Windows 10 1709, update to Windows 10 1709 or later. For Microsoft Office versions prior to Office 2016, update to Office 2016 or later. For Word Viewer, Skype for Business, Lync, and Live Meeting 2007 Console, no specific fix information is provided, so consider restricting the use of embedded fonts until a patch is available. As a temporary workaround, consider disabling the handling of embedded fonts in the Windows font library until a patch is available.