Microsoft Security Response Center

*Why is this OpenSSL Software Foundation CVE included in the Security Update Guide?* The vulnerability assigned to this CVE is in OpenSSL Software which is consumed by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

**What is the attack vector for this vulnerability?** An attacker can write to any file where the webserver user (nt authority\\network service) has write access.

**What privileges does the attacker gain?** An attacker would only be able to delete targeted files on a system. They would not gain privileges to view or modify file contents.

*What data can be disclosed by this vulnerability?* This vulnerability allows disclosing user data redirected to the profile or Office container via FSLogix Cloud cache. This data can include user profile settings and files.

*What type of information could be disclosed by this vulnerability?* The type of information that could be disclosed if an attacker successfully exploited this vulnerability is read access to Windows RDP client passwords by RDP server administrators.

*What type of information could be disclosed by this vulnerability?* The type of information that could be disclosed if an attacker successfully exploited this vulnerability is read access to Windows RDP client passwords by RDP server administrators.

*How could an attacker exploit this vulnerability?* An authorized attacker could exploit this Windows COM vulnerability by sending from a user mode application specially crafted malicious COM traffic directed at the COM Server, which might lead to remote code execution.

*What privileges does the attacker gain?* An attacker would only be able to delete targeted files on a system. They would not gain privileges to view or modify file contents.

*What privileges does the attacker gain?* An attacker would only be able to delete targeted files on a system. They would not gain privileges to view or modify file contents.

*What privileges does the attacker gain?* An attacker would only be able to delete targeted files on a system. They would not gain privileges to view or modify file contents.