Think you have a false positive on this rule?

Sid 1-44822


FILE-OFFICE Microsoft Excel use after free vulnerability exploit attempt


This event is generated when an attacker attempts to exploit a use after free vulnerability in Microsoft Excel.


Attempted User Privilege Gain


CVSS base score 7.8

CVSS impact score 5.9

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

Rule checks for an attempt to exploit a use after free vulnerability in Microsoft Excel. CVE-2017-11878: Microsoft Excel 2007 Service Pack 3, Microsoft Excel 2010 Service Pack 2, Microsoft Excel 2013 Service Pack 1, Microsoft Excel 2013 RT Service Pack 1, Microsoft Excel 2016, Microsoft Office Compatibility Pack Service Pack 3, and Microsoft Excel Viewer 2007 Service Pack 3 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Excel Memory Corruption Vulnerability".

Affected systems

  • microsoft excel 2013
  • microsoft excel 2016
  • microsoft excel_2007 -
  • microsoft excel_2010 *
  • microsoft excel2013rt -
  • microsoft excel_viewer 2007
  • microsoft officecompatibilitypack -

Ease of attack


Access Vector

Access Complexity


False positives

Not known

False negatives

Not known

Corrective action

Update Microsoft Excel to the latest version.


  • Cisco's Talos Intelligence Group

Additional References