Microsoft Security Response Center

Buffer over-read in Windows Storage Management Provider allows an authorized attacker to disclose information locally.

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Improper input validation in Microsoft AutoUpdate (MAU) allows an authorized attacker to elevate privileges locally.

Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an authorized attacker to execute code over a network.

'.../...//' in Microsoft Office Outlook allows an unauthorized attacker to execute code locally.

Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.

**According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?** Information in the victim's browser associated with the vulnerable URL can be read by the malicious JavaScript code and sent to the attacker.

**How could an attacker exploit this vulnerability?** An unauthenticated attacker could exploit this vulnerability by crafting a malicious RTF file. If a user opens the file or it is rendered in the preview pane, the attacker could execute arbitrary code in the user's context.

**What kind of security feature could be bypassed by successfully exploiting this vulnerability?** An attacker who successfully exploited this vulnerability could bypass Secure Boot.