CVE-2017-0197

Name of the Vulnerable Software and Affected Versions Microsoft OneNote versions 2007 SP3 through 2010 SP2

Description The issue exists due to insufficient input validation, allowing remote attackers to execute arbitrary code via a crafted document. An attacker who successfully exploits this could take control of an affected system, then install programs, view, change, or delete data, or create new accounts with full user rights. Users with fewer user rights on the system could be less impacted than those operating with administrative user rights. To exploit the issue, an attacker would first have to convince a user to open a specially crafted office document.

Recommendations For Microsoft OneNote 2007 SP3, update to a newer version to mitigate the risk. For Microsoft OneNote 2010 SP2, update to a newer version to mitigate the risk. As a temporary workaround, consider restricting the use of dynamic link library (DLL) files until a patch is available.