This security update resolves one publicly disclosed vulnerability in a Microsoft Office shared component that is currently being exploited. The vulnerability could allow security feature bypass if a user views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer. In a web-browsing attack scenario, an attacker who successfully exploited this vulnerability could bypass the Address Space Layout Randomization (ASLR) security feature, which helps protect users from a broad class of vulnerabilities. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code.
This security update is rated Important for supported editions of Microsoft Office 2007 and Microsoft Office 2010 software. The security update addresses the vulnerability by helping to ensure that the Microsoft Office shared component properly implements ASLR.
More
此安全更新解决了 Microsoft Office 中一个秘密报告的漏洞。如果攻击者将特制内容发送给用户,则该漏洞可能允许特权提升。
此安全更新可解决 Microsoft Windows 中一个秘密报告的漏洞。如果攻击者向 Microsoft DirectAccess 部署中的常用 IP-HTTPS 服务器呈现被吊销的证书,则该漏洞可能允许安全功能绕过。要利用此漏洞,攻击者必须使用从针对 IP-HTTPS 服务器身份验证的域颁发的证书。登录到组织内部的系统仍然需要系统或域凭据。
此安全更新可解决 Microsoft Windows 中一个秘密报告的漏洞。如果用户浏览到包含特制名称的文件或子文件夹的文件夹,则该漏洞可能允许远程执行代码。成功利用此漏洞的攻击者可以获得与当前用户相同的用户权限。那些帐户被配置为拥有较少系统用户权限的用户比具有管理用户权限的用户受到的影响要小。