SB2012021504 - Multiple vulnerabilities in Microsoft Visio Viewer

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2012-0018)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Microsoft Visio Viewer 2010 Gold and SP1 does not properly validate attributes in Visio files, which allows remote attackers to execute arbitrary code via a crafted file, aka "VSD File Format Memory Corruption Vulnerability."

2) Code Injection (CVE-ID: CVE-2012-0019)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Microsoft Visio Viewer 2010 Gold and SP1 does not properly handle memory during the parsing of files, which allows remote attackers to execute arbitrary code via crafted attributes in a Visio file, aka "VSD File Format Memory Corruption Vulnerability," a different vulnerability than CVE-2012-0020, CVE-2012-0136, CVE-2012-0137, and CVE-2012-0138.

3) Code Injection (CVE-ID: CVE-2012-0020)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Microsoft Visio Viewer 2010 Gold and SP1 does not properly handle memory during the parsing of files, which allows remote attackers to execute arbitrary code via crafted attributes in a Visio file, aka "VSD File Format Memory Corruption Vulnerability," a different vulnerability than CVE-2012-0019, CVE-2012-0136, CVE-2012-0137, and CVE-2012-0138.

4) Code Injection (CVE-ID: CVE-2012-0136)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Microsoft Visio Viewer 2010 Gold and SP1 does not properly handle memory during the parsing of files, which allows remote attackers to execute arbitrary code via crafted attributes in a Visio file, aka "VSD File Format Memory Corruption Vulnerability," a different vulnerability than CVE-2012-0019, CVE-2012-0020, CVE-2012-0137, and CVE-2012-0138.

5) Code Injection (CVE-ID: CVE-2012-0137)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Microsoft Visio Viewer 2010 Gold and SP1 does not properly handle memory during the parsing of files, which allows remote attackers to execute arbitrary code via crafted attributes in a Visio file, aka "VSD File Format Memory Corruption Vulnerability," a different vulnerability than CVE-2012-0019, CVE-2012-0020, CVE-2012-0136, and CVE-2012-0138.

6) Code Injection (CVE-ID: CVE-2012-0138)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Microsoft Visio Viewer 2010 Gold and SP1 does not properly handle memory during the parsing of files, which allows remote attackers to execute arbitrary code via crafted attributes in a Visio file, aka "VSD File Format Memory Corruption Vulnerability," a different vulnerability than CVE-2012-0019, CVE-2012-0020, CVE-2012-0136, and CVE-2012-0137.

Remediation

Install update from vendor's website.

References

• http://osvdb.org/81731
• http://secunia.com/advisories/49113
• http://www.securityfocus.com/bid/53328
• http://www.securitytracker.com/id?1027042
• http://www.us-cert.gov/cas/techalerts/TA12-129A.html
• https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-031
• https://exchange.xforce.ibmcloud.com/vulnerabilities/75115
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15606
• http://www.us-cert.gov/cas/techalerts/TA12-045A.html
• https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-015
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14347
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14965
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14924
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14602
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14811