Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-1034

A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user. To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Word software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file. The security update addresses the vulnerability by correcting how Microsoft Word handles files in memory.

Published

2019-06-12T14:29:03.557

Last Modified

2025-05-20T18:15:38.893

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 7.8 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

8.6

Impact Score

10.0

Weaknesses

Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	microsoft	office	2010	Yes
Application	microsoft	office	2016	Yes
Application	microsoft	office	2019	Yes
Application	microsoft	office	2019	Yes
Application	microsoft	office_365_proplus	-	Yes
Application	microsoft	office_online_server	-	Yes
Application	microsoft	office_web_apps	2010	Yes
Application	microsoft	sharepoint_enterprise_server	2013	Yes
Application	microsoft	sharepoint_enterprise_server	2016	Yes
Application	microsoft	sharepoint_server	2010	Yes
Application	microsoft	sharepoint_server	2019	Yes
Application	microsoft	word	2010	Yes
Application	microsoft	word	2013	Yes
Application	microsoft	word	2013	Yes
Application	microsoft	word	2016	Yes

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-1034 ([email protected])
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1034 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)