CVE-2017-0105

Name of the Vulnerable Software and Affected Versions Microsoft Word versions 2007 SP3 Office versions 2010 SP2 Word for Mac version 2011 Office Compatibility Pack version SP3 Word Automation Services on SharePoint Server version 2010 SP2 Office Web Apps version 2010 SP2

Description The issue is related to the lack of protection for internal data in Microsoft Word, allowing remote attackers to obtain sensitive information from out-of-bound memory via a crafted Office document. An information disclosure vulnerability exists when Microsoft Office software reads out of bound memory due to an uninitialized variable, which could disclose the contents of memory. An attacker who successfully exploited the issue could view out of bound memory. Exploitation requires that a user open a specially crafted file with an affected version of Microsoft Office software.

Recommendations For Microsoft Word 2007 SP3, update to a fixed version to resolve the issue. For Office 2010 SP2, update to a fixed version to resolve the issue. For Word 2010 SP2, update to a fixed version to resolve the issue. For Word for Mac 2011, update to a fixed version to resolve the issue. For Office Compatibility Pack SP3, update to a fixed version to resolve the issue. For Word Automation Services on SharePoint Server 2010 SP2, update to a fixed version to resolve the issue. For Office Web Apps 2010 SP2, update to a fixed version to resolve the issue. As a temporary workaround, consider avoiding the use of affected Microsoft Office software to open specially crafted files until a patch is available.