CVE-2015-2423

Name of the Vulnerable Software and Affected Versions Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, Windows 10 Excel 2007 SP3, PowerPoint 2007 SP3, Visio 2007 SP3, Word 2007 SP3 Office 2010 SP2, Excel 2010 SP2, PowerPoint 2010 SP2, Visio 2010 SP2, Word 2010 SP2 Excel 2013 SP1, PowerPoint 2013 SP1, Visio 2013 SP1, Word 2013 SP1 Excel 2013 RT SP1, PowerPoint 2013 RT SP1, Visio 2013 RT SP1, Word 2013 RT SP1 Internet Explorer 7 through 11

Description An information disclosure issue exists in Microsoft Windows, Internet Explorer, and Microsoft Office when files at a medium integrity level become accessible to Internet Explorer running in Enhanced Protection Mode (EPM). To exploit this issue, an attacker would first need to leverage another vulnerability and execute code in Internet Explorer with EPM, and then execute Excel, Notepad, PowerPoint, Visio, or Word using an unsafe command line parameter. This allows remote attackers to gain privileges and obtain sensitive information.

Recommendations For Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, Windows 10, consider restricting access to sensitive files and directories to minimize the risk of exploitation. For Excel 2007 SP3, PowerPoint 2007 SP3, Visio 2007 SP3, Word 2007 SP3, Office 2010 SP2, Excel 2010 SP2, PowerPoint 2010 SP2, Visio 2010 SP2, Word 2010 SP2, Excel 2013 SP1, PowerPoint 2013 SP1, Visio 2013 SP1, Word 2013 SP1, Excel 2013 RT SP1, PowerPoint 2013 RT SP1, Visio 2013 RT SP1, Word 2013 RT SP1, avoid using unsafe command line parameters when executing these applications. For Internet Explorer 7 through 11, consider disabling Enhanced Protection Mode (EPM) until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.