CVE-2016-3366
published 2016-09-14CVE-2016-3366: Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outlook 2013 RT SP1, Outlook 2016, and Outlook 2016 for Mac do not properly implement RFC 2046…
PriorityP339medium6.5CVSS 3.0
AVNACLPRNUIRSUCNIHAN
EPSS
16.23%
96.5th percentile
Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outlook 2013 RT SP1, Outlook 2016, and Outlook 2016 for Mac do not properly implement RFC 2046, which allows remote attackers to bypass virus or spam detection via crafted MIME data in an e-mail attachment, aka "Microsoft Office Spoofing Vulnerability."
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | outlook | — | — |
| microsoft | outlook | — | — |
| microsoft | outlook | — | — |
| microsoft | outlook | — | — |
| msrc | microsoft_outlook_2007_service_pack_3 | — | — |
| msrc | microsoft_outlook_2010_service_pack_2 | — | — |
| msrc | microsoft_outlook_2013_rt_service_pack_1 | — | — |
| msrc | microsoft_outlook_2013_service_pack_1 | — | — |
| msrc | microsoft_outlook_2016 | — | — |
| msrc | microsoft_outlook_2016_for_mac | — | — |
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_msrc6.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Microsoft Outlook Spoofing Vulnerability
vendor_msrc·2016-09-13·CVSS 6.5
CVE-2016-3366 [MEDIUM] Microsoft Outlook Spoofing Vulnerability
Microsoft Outlook Spoofing Vulnerability
Description: A spoofing vulnerability exists when Microsoft Outlook does not strictly adhere to RFC2046, and improperly identifies the end of a MIME attachment. An improper MIME attachment ending may cause antivirus or antispam scanning to not work as intended.
To exploit the vulnerability, an attacker could send a specially crafted email attachment to a user in an attempt to launch a social engineering attack, such as phishing.
The security update addresses the vulnerability by correcting how Outlook determines the end of MIME messages.
FAQ: I am being offered this update for software that is not specifically indicated as being affected in the Affected Software and Vulnerability Severity Ratings table. Why am I being offered this update?
When upd
GHSA
GHSA-mm4r-5hp7-v6q3: Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outlook 2013 RT SP1, Outlook 2016, and Outlook 2016 for Mac do not properly implement
ghsa_unreviewed·2022-05-13
CVE-2016-3366 [MEDIUM] CWE-284 GHSA-mm4r-5hp7-v6q3: Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outlook 2013 RT SP1, Outlook 2016, and Outlook 2016 for Mac do not properly implement
Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outlook 2013 RT SP1, Outlook 2016, and Outlook 2016 for Mac do not properly implement RFC 2046, which allows remote attackers to bypass virus or spam detection via crafted MIME data in an e-mail attachment, aka "Microsoft Office Spoofing Vulnerability."
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/92831http://www.securitytracker.com/id/1036785https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-107http://www.securityfocus.com/bid/92831http://www.securitytracker.com/id/1036785https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-107
2016-09-14
Published