CVE-2016-7262
Published: 20 December 2016
Summary
CVE-2016-7262 is a high-severity an unspecified weakness vulnerability in Microsoft Excel. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Deeper analysis
Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Office Compatibility Pack SP3, and Excel Viewer contain a security feature bypass vulnerability that permits arbitrary command execution when a crafted cell is mishandled upon user interaction. The flaw is tracked as CVE-2016-7262 and carries a CVSS 3.1 base score of 7.8 reflecting local attack vector, low complexity, required user interaction, and high impact to confidentiality, integrity, and availability.
Remote attackers can leverage the issue by supplying a malicious spreadsheet file that, once opened and clicked by the victim, bypasses intended security restrictions to run arbitrary commands on the target system. Exploitation therefore depends on user-assisted delivery such as email attachments or downloaded documents rather than unauthenticated remote code execution.
The Microsoft security bulletin MS16-148 addresses the vulnerability and provides corresponding security updates for the affected Excel and Office components. No information on observed in-the-wild exploitation is supplied in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-8118
Vulnerability details
Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Office Compatibility Pack SP3, and Excel Viewer allow user-assisted remote attackers to execute arbitrary commands via a crafted cell that is mishandled upon a…
more
click, aka "Microsoft Office Security Feature Bypass Vulnerability."
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor security update (MS16-148) that patches the Excel security-feature bypass before a crafted cell can be used for arbitrary command execution.
Requires automated malicious-code protection mechanisms that scan and block the crafted spreadsheet file before user click triggers the bypass.
Enforces least functionality by disabling or restricting high-risk Excel features that could be abused to execute commands after the security bypass occurs.