Security Advisory
TSA-2018-001: Microsoft Access Information Disclosure Vulnerability
CVE Number: CVE-2018-0853
Summary
An information disclosure vulnerability exists when Microsoft Office Access software reads out of bound memory due to an uninitialized variable, which could disclose the contents of memory. An attacker who successfully exploited the vulnerability could view out of bound memory.
Details and crash information
VCRUNTIME140!memcpy+0x4e:
72edd1ce f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
VCRUNTIME140!memcpy+0x4e:
72edd1ce f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
Vendor: Microsoft
Product: Access
Version: 16.0.8625.2127
Vendor URLs:
- https://www.microsoft.com
- https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0853
Vendor Response
The vendor has patched the vulnerability and released a new version.
The vendor has patched the vulnerability and released a new version.
Disclosure Timeline
- 23-11-2017 – Initial Discovery
- 25-11-2017 – Vendor Notification
- 19-01-2018 – Vendor Patch
- 13-02-2018 – Public Disclosure
Credit
This vulnerability was discovered by Dmitri Kaslov of Telspace Systems