CVE-2016-3235
published 2016-06-16CVE-2016-3235: Microsoft Visio 2007 SP3, Visio 2010 SP2, Visio 2013 SP1, Visio 2016, Visio Viewer 2007 SP3, and Visio Viewer 2010 mishandle library loading, which allows…
PriorityP180high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
43.43%
98.6th percentile
Microsoft Visio 2007 SP3, Visio 2010 SP2, Visio 2013 SP1, Visio 2016, Visio Viewer 2007 SP3, and Visio Viewer 2010 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Microsoft Office OLE DLL Side Loading Vulnerability."
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | visio | — | — |
| microsoft | visio | — | — |
| microsoft | visio | — | — |
| microsoft | visio | — | — |
| microsoft | visio_viewer | — | — |
| microsoft | visio_viewer | — | — |
| msrc | microsoft_visio_2007_service_pack_3 | — | — |
| msrc | microsoft_visio_2010_service_pack_2 | — | — |
| msrc | microsoft_visio_2013_service_pack_1 | — | — |
| msrc | microsoft_visio_2016 | — | — |
| msrc | microsoft_visio_viewer_2007_service_pack_3 | — | — |
| msrc | microsoft_visio_viewer_2010 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered when a user opens a specially crafted Office document that causes Office to load a malicious DLL via OLE DLL side-loading (improper input validation before loading DLL files) ↗
- →Attack vector is local DLL side-loading; monitor for suspicious DLL loads by Visio or other Office processes (visio.exe, etc.) from non-standard or user-writable directories ↗
- →The vulnerability resides in Microsoft Office OLE (Object Linking & Embedding) DLL handling; monitor for OLE-related DLL loads from Office applications that originate from unexpected paths ↗
- →Successful exploitation results in full remote code execution with the privileges of the logged-in user; monitor for child processes spawned by Office applications (e.g., visio.exe) that perform privilege-escalating actions such as account creation or data modification ↗
- ·The update 3115198 is configuration-specific and will not be offered to all Microsoft Office 2010 installations; verify applicability before assuming patch coverage ↗
- ·Patch applicability extends beyond explicitly listed products to all Office components sharing the vulnerable OLE DLL; ensure all shared-component Office products are assessed, not just those named in the Affected Software table ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Office OLE DLL Side Loading Vulnerability
cisa·2021-11-03·CVSS 7.8
CVE-2016-3235 [HIGH] CWE-264 Microsoft Office OLE DLL Side Loading Vulnerability
Vulnerability: Microsoft Office OLE DLL Side Loading Vulnerability
Affected: Microsoft Office
Microsoft Office Object Linking & Embedding (OLE) dynamic link library (DLL) contains a side loading vulnerability due to it improperly validating input before loading libraries. Successful exploitation allows for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2016-3235
Remediation Due Date: 2022-05-03
Microsoft
Microsoft Office Remote Code Execution Vulnerability
vendor_msrc·2016-06-14·CVSS 7.8
CVE-2016-3235 [HIGH] Microsoft Office Remote Code Execution Vulnerability
Microsoft Office Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when Microsoft Office improperly validates input before loading dynamic link library (DLL) files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
To exploit the vulnerability, an attacker must first convince a user to open a specially crafted Office document.
The updates address the vulnerability by correcting how Office validates input before loading DLL files.
VulDB
Microsoft Office up to 2016 OLE DLL access control (MS16-070 / EDB-41706)
vuldb·2026-04-23·CVSS 7.8
CVE-2016-3235 [HIGH] Microsoft Office up to 2016 OLE DLL access control (MS16-070 / EDB-41706)
A vulnerability was found in Microsoft Office 2007 SP3/2010 SP2/2013 RT SP1/2013 SP1/2016 and classified as critical. This issue affects some unknown processing of the component OLE DLL Handler. Such manipulation leads to improper access controls.
This vulnerability is listed as CVE-2016-3235. The attack may be performed from remote. In addition, an exploit is available.
A patch should be applied to remediate this issue.
GHSA
GHSA-75wh-cm5h-4j85: Microsoft Visio 2007 SP3, Visio 2010 SP2, Visio 2013 SP1, Visio 2016, Visio Viewer 2007 SP3, and Visio Viewer 2010 mishandle library loading, which al
ghsa_unreviewed·2022-05-14
CVE-2016-3235 [HIGH] GHSA-75wh-cm5h-4j85: Microsoft Visio 2007 SP3, Visio 2010 SP2, Visio 2013 SP1, Visio 2016, Visio Viewer 2007 SP3, and Visio Viewer 2010 mishandle library loading, which al
Microsoft Visio 2007 SP3, Visio 2010 SP2, Visio 2013 SP1, Visio 2016, Visio Viewer 2007 SP3, and Visio Viewer 2010 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Microsoft Office OLE DLL Side Loading Vulnerability."
VulnCheck
Microsoft Office OLE DLL Side Loading Vulnerability
vulncheck·2016·CVSS 7.8
CVE-2016-3235 [HIGH] CWE-264 Microsoft Office OLE DLL Side Loading Vulnerability
Microsoft Office OLE DLL Side Loading Vulnerability
Microsoft Office Object Linking & Embedding (OLE) dynamic link library (DLL) contains a side loading vulnerability due to it improperly validating input before loading libraries. Successful exploitation allows for remote code execution.
Affected: Microsoft Office
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-05-03
No detection rules found.
Exploit-DB
Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-041/MS16-070) (Metasploit)
exploitdb·2015-12-08
CVE-2016-3235 Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-041/MS16-070) (Metasploit)
Microsoft Office - OLE Multiple DLL Side Loading Vulnerabilities (MS15-132/MS16-014/MS16-025/MS16-041/MS16-070) (Metasploit)
---
require 'zip'
require 'base64'
require 'msf/core'
require 'rex/ole'
class MetasploitModule 'Office OLE Multiple DLL Side Loading Vulnerabilities',
'Description' => %q{
Multiple DLL side loading vulnerabilities were found in various COM components.
These issues can be exploited by loading various these components as an embedded
OLE object. When instantiating a vulnerable object Windows will try to load one
or more DLLs from the current working directory. If an attacker convinces the
victim to open a specially crafted (Office) document from a directory also
containing the attacker's DLL file, it is possible to execute arbitrary code with
the privileges of the ta
Metasploit
Office OLE Multiple DLL Side Loading Vulnerabilities
metasploit
Office OLE Multiple DLL Side Loading Vulnerabilities
Office OLE Multiple DLL Side Loading Vulnerabilities
Multiple DLL side loading vulnerabilities were found in various COM components. These issues can be exploited by loading various these components as an embedded OLE object. When instantiating a vulnerable object Windows will try to load one or more DLLs from the current working directory. If an attacker convinces the victim to open a specially crafted (Office) document from a directory also containing the attacker's DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system.
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Talos
Microsoft Patch Tuesday - June 2016
blogs_talos·2016-06-14
Microsoft Patch Tuesday - June 2016
## Microsoft Patch Tuesday - June 2016
This post was authored by Warren Mercer .
Patch Tuesday for June 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 17 bulletins addressing 44 vulnerabilities. Five bulletins resolve critical vulnerabilities found in MS DNS Server, Edge, Internet Explorer, JScript/VBScript, and Office. The remaining bulletins are rated important and address vulnerabilities in Active Directory, Exchange Server, Group Policy, SMB Server, Netlogon, Windows Graphics component, Windows Kernel-mode Drivers, Windows PDF, Window Search Component, and WPAD.
## Bulletins Rated Critical Microsoft bulletins MS16-063, MS16-068 through MS16-071, and MS
Talos
Microsoft Patch Tuesday - June 2016
blogs_talos·2016-06-14
Microsoft Patch Tuesday - June 2016
This post was authored by Warren Mercer.
Patch Tuesday for June 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 17 bulletins addressing 44 vulnerabilities. Five bulletins resolve critical vulnerabilities found in MS DNS Server, Edge, Internet Explorer, JScript/VBScript, and Office. The remaining bulletins are rated important and address vulnerabilities in Active Directory, Exchange Server, Group Policy, SMB Server, Netlogon, Windows Graphics component, Windows Kernel-mode Drivers, Windows PDF, Window Search Component, and WPAD.
## Bulletins Rated CriticalMicrosoft bulletins MS16-063, MS16-068 through MS16-071, and MS16-083 are rated as critical in this relea
http://packetstormsecurity.com/files/137490/Microsoft-Visio-DLL-Hijacking.htmlhttp://seclists.org/fulldisclosure/2016/Jun/32http://www.securityfocus.com/archive/1/538685/100/0/threadedhttp://www.securitytracker.com/id/1036093https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-070https://www.securify.nl/advisory/SFY20150804/microsoft_visio_multiple_dll_side_loading_vulnerabilities.htmlhttp://packetstormsecurity.com/files/137490/Microsoft-Visio-DLL-Hijacking.htmlhttp://seclists.org/fulldisclosure/2016/Jun/32http://www.securityfocus.com/archive/1/538685/100/0/threadedhttp://www.securitytracker.com/id/1036093https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-070https://www.securify.nl/advisory/SFY20150804/microsoft_visio_multiple_dll_side_loading_vulnerabilities.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3235
2016-06-16
Published
2021-11-03
Added to CISA KEV
Exploited in the wild