Wednesday, February 28, 2018

Telspace Systems Security Advisory (TSA-2018-001)

Security Advisory



TSA-2018-001: Microsoft Access Information Disclosure Vulnerability

CVE Number: CVE-2018-0853


Summary

An information disclosure vulnerability exists when Microsoft Office Access software reads out of bound memory due to an uninitialized variable, which could disclose the contents of memory. An attacker who successfully exploited the vulnerability could view out of bound memory.


Details and crash information

VCRUNTIME140!memcpy+0x4e:

72edd1ce f3a4            rep movs byte ptr es:[edi],byte ptr [esi]


Vendor: Microsoft

Product: Access

Version: 16.0.8625.2127

Vendor URLs:



Vendor Response

The vendor has patched the vulnerability and released a new version.


Disclosure Timeline

  • 23-11-2017 – Initial Discovery
  • 25-11-2017 – Vendor Notification
  • 19-01-2018 – Vendor Patch
  • 13-02-2018 – Public Disclosure


Credit

This vulnerability was discovered by Dmitri Kaslov of Telspace Systems