#Security Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information.

**Are there any additional steps that I need to follow to be protected from this vulnerability?** The changes to address this vulnerability updated Virtual Secure Mode components. The policy described in Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates has been updated to account for the latest changes. If you deployed this policy, then you'll need to redeploy using the updated policy.

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

**What privileges would an attacker gain by successfully exploiting this vulnerability?** An attacker who successfully exploited this vulnerability could potentially leak data from the target enclave or execute code within the context of the target enclave.

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** Exploitation of this vulnerability requires that an attacker convinces a user to open a maliciously crafted package file in Visual Studio.

**How could an attacker exploit this vulnerability?** The attacker would be able to bypass the protection in Outlook that prevents a potentially dangerous file extension from being attached enabling a remote code execution.

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is an out of bounds read in the caller's address space memory.

**What privileges could be gained by an attacker who successfully exploited the vulnerability?** An attacker who successfully exploits this vulnerability could elevate their privileges to perform commands as Root in the target environment.

**According to the CVSS metric, the Attack Vector is Physical (AV:P). What does that mean for this vulnerability?** An attacker needs physical access to the target computer to plug in a malicious USB drive.

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** An attacker would have to convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an Email or Instant Messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file.