CVE-2023-36897: Visual Studio Tools for Office Runtime Spoofing Vulnerability

Overview

Severity

High (CVSS 8.1)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2023-Aug

Released

2023-08-08

Last Updated

2023-08-15

EPSS Score

0.16% (percentile: 36.5%)

FAQ

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would have to click on install to be compromised by the attacker. How could an attacker exploit this vulnerability? An unauthenticated attacker could bypass validation as a trusted source through a crafted certificate that could mislead a user to believing the file they are installing is legitimate.

Affected Products (12)

Microsoft Office

• Microsoft Office 2019 for 32-bit editions
• Microsoft Office 2019 for 64-bit editions
• Microsoft 365 Apps for Enterprise for 32-bit Systems
• Microsoft 365 Apps for Enterprise for 64-bit Systems
• Microsoft Office LTSC 2021 for 64-bit editions
• Microsoft Office LTSC 2021 for 32-bit editions

Developer Tools

• Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
• Microsoft Visual Studio 2022 version 17.2
• Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
• Microsoft Visual Studio 2022 version 17.4
• Microsoft Visual Studio 2022 version 17.6
• Visual Studio 2010 Tools for Office Runtime

Security Updates (6)

• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• 5029497

Acknowledgments

Bill Demirkapi with Microsoft

Revision History

• 2023-08-08: Information published.
• 2023-08-15: In the Security Updates table, added the Download link for Visual Studio 2010 Tools for Office Runtime.