CVE-2016-3235
Published: 16 June 2016
Summary
CVE-2016-3235 is a high-severity an unspecified weakness vulnerability in Microsoft Visio. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
The vulnerability CVE-2016-3235 is a DLL side-loading flaw in Microsoft Visio 2007 SP3, Visio 2010 SP2, Visio 2013 SP1, Visio 2016, Visio Viewer 2007 SP3, and Visio Viewer 2010. It arises from mishandling of library loading in the Office OLE components, enabling an attacker to substitute a malicious DLL for a legitimate one.
A local attacker can exploit the issue by placing a crafted application on a system and inducing a user to execute it, resulting in privilege escalation with full control over confidentiality, integrity, and availability on the affected host.
Microsoft's security bulletin MS16-070 describes the patches released to correct the library-loading behavior in supported Visio editions and viewers.
Public references also include proof-of-concept material on Packet Storm and the Full Disclosure mailing list demonstrating the side-load technique against the listed products.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-4273
Vulnerability details
Microsoft Visio 2007 SP3, Visio 2010 SP2, Visio 2013 SP1, Visio 2016, Visio Viewer 2007 SP3, and Visio Viewer 2010 mishandle library loading, which allows local users to gain privileges via a crafted application, aka "Microsoft Office OLE DLL Side…
more
Loading Vulnerability."
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires cryptographic signing of components, directly blocking substitution of a malicious DLL for a legitimate Visio/OLE library.
Performs integrity verification of software and libraries at load time, detecting or preventing the crafted DLL from being used.
Deploys malicious-code protection mechanisms (e.g., application allow-listing or behavioral blocking) that can stop side-loaded DLL execution.