CVE-2015-6172

Name of the Vulnerable Software and Affected Versions Microsoft Word versions 2007 SP3 through 2016 Office versions 2010 SP2 Word 2010 version SP2 Word 2013 versions SP1 through RT SP1 Office Compatibility Pack version SP3

Description The issue allows remote attackers to execute arbitrary code via a crafted email message processed by Outlook. This is due to insufficient input validation in Microsoft Office, specifically in the way Outlook parses specially crafted email messages. An attacker who successfully exploits this could run arbitrary code as the logged-on user and take complete control of the affected system, allowing them to install programs, view, change, or delete data, or create new accounts with full user rights. The vulnerability can be exploited when a user opens or previews a specially crafted email message with an affected version of Microsoft Outlook.

Recommendations For Microsoft Word 2007 SP3, update to a version that includes the fix for this issue. For Office 2010 SP2, apply the recommended configuration changes to mitigate the risk. For Word 2010 SP2, consider disabling the processing of specially crafted email messages until a patch is available. For Word 2013 SP1 and RT SP1, restrict access to the vulnerable component in Outlook to minimize the risk of exploitation. For Office Compatibility Pack SP3, avoid using the affected version of Outlook to process email messages until the issue is resolved. For all affected versions, as a temporary workaround, consider implementing additional security measures such as restricting user rights and closely monitoring system activity for signs of exploitation.