CVE-2016-3235

What Is Microsoft Office OLE?

Microsoft Office uses Object Linking and Embedding (OLE) technology to embed and link objects between Office documents and other applications. OLE allows Office documents to contain embedded objects such as charts, spreadsheets, or linked external data sources. When Office processes OLE content — opening a document, rendering embedded objects, or loading OLE add-ins — it dynamically loads DLL (dynamic-link library) files to handle specific object types.

DLL side loading is a class of vulnerability that arises when an application loads DLLs by name without specifying a full path, allowing Windows' DLL search order to be exploited. If an attacker can place a malicious DLL with the expected name in a directory that Windows searches before the legitimate DLL location, the application loads the attacker's code instead of the intended library.

Overview

CVE-2016-3235 is a DLL side loading vulnerability in Microsoft Office's OLE component that enables code execution when a user opens an Office document from a directory containing a malicious DLL. When Office processes OLE objects, it loads DLL files without validating the full path, allowing Windows' DLL search order to load a malicious DLL placed by an attacker in the same directory as the Office document (the current working directory). Patched in MS16-099 (August 9, 2016). CISA added CVE-2016-3235 to the inaugural KEV catalog on November 3, 2021.

Affected Versions

Technical Details

Root Cause: Uncontrolled DLL Search Path in OLE Processing

CVE-2016-3235 is a DLL side loading vulnerability (CWE-427) in how Microsoft Office's OLE subsystem loads DLL dependencies. Windows uses a defined DLL search order that, in older configurations, includes the current working directory (CWD) — the directory from which the application was launched or from which a document was opened. When Office opens a document containing OLE objects, it may attempt to load a DLL by name (e.g., oledlg.dll, a supporting OLE library) without specifying the full absolute path.

The attack scenario:

1. Attacker creates a malicious DLL with the name of a DLL that Office attempts to load during OLE processing
2. Attacker places the DLL alongside a malicious Office document on a network share, USB drive, or email attachment package
3. User opens the document — Office processes the OLE content and loads the DLL from the current working directory (the share or USB folder) instead of System32
4. Malicious DLL code executes at the privilege level of the Office process — the user's account

DLL Search Order and CWD Priority

Windows DLL search order (simplified) in affected configurations:

1. Application directory
2. Current working directory ← attacker-controlled when document opened from share/USB
3. System32 directory
4. System directory
5. Windows directory
6. PATH directories

When Office opens a file from \\fileserver\share\malicious_folder\, that path becomes the CWD, and any DLL placed there matching an expected name is loaded first.

Attack Characteristics

Discovery

Identified through Microsoft's security research and vulnerability disclosure process; patched in the MS16-099 security update for Microsoft Office in August 2016.

Exploitation Context

• Targeted attack vector: DLL side loading through Office documents is a preferred technique for targeted attacks (spear phishing with package attachments, malicious network shares, or weaponized USB drops) because it bypasses macro security controls — no macro execution is needed
• Inaugural CISA KEV batch: CVE-2016-3235 was included in CISA's inaugural KEV catalog on November 3, 2021 alongside 300 other historically exploited vulnerabilities, confirming its documented use in real attacks
• Combination with legitimate documents: Attackers often package the malicious DLL alongside a legitimate-looking Office document; when the user opens the document, the DLL side loads silently in the background while the document renders normally, reducing suspicion
• Network share exploitation: In environments where documents are opened from network file shares (common in enterprise environments), attackers with write access to a shared folder can plant a malicious DLL alongside shared documents, passively compromising any user who opens those documents

Remediation

1. Apply MS16-099 — install the August 2016 Microsoft Office security update (MS16-099), which patches the OLE DLL loading behavior. All subsequent Office cumulative updates include this fix. Verify via Windows Update history.

2. Keep Office updated — apply all current Office security updates via Windows Update, Microsoft Update Catalog, or WSUS/MECM. Any modern Office version with current patches is not vulnerable.

3. Restrict network share write access — review and restrict write permissions on network file shares; users should not have write access to directories containing shared documents unless specifically required.

4. Enable Safe Documents — in Microsoft 365, Safe Documents scans documents opened from network locations before allowing editing, providing an additional layer of protection.

5. Block DLL loading from network paths — configure Windows Defender Attack Surface Reduction (ASR) rules to block untrusted DLLs from loading from network shares and removable media.