Think you have a false positive on this rule?

Sid 1-35190


FILE-OFFICE Microsoft Office Word sprmPItap heap corruption attempt


This rule looks for attempts to exploit a memory corruption vulnerability in Microsoft Word.


Attempted User Privilege Gain


CVSS base score 9.3

CVSS impact score 10.0

CVSS exploitability score 8.6

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Detailed information

This rule fires when attackers attempt to exploit a heap corruption vulnerability in Microsoft Word's sprmPItap parsing. CVE-2015-2379: Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Office for Mac 2011, and Word Viewer allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Microsoft Office Memory Corruption Vulnerability."

Affected systems

  • microsoft office 2010
  • microsoft office 2011
  • microsoft word 2007
  • microsoft word 2013
  • microsoft word_viewer *

Ease of attack


Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

False positives

None known

False negatives

None known

Corrective action


  • Talos research team.
  • This document was generated from data supplied by the national vulnerability database, a product of the national institute of standards and technology.
  • For more information see nvd.

Additional References

  • CVE-2019-1201