Think you have a false positive on this rule?

Sid 1-44822

Message

FILE-OFFICE Microsoft Excel use after free vulnerability exploit attempt

Summary

This event is generated when an attacker attempts to exploit a use after free vulnerability in Microsoft Excel.

Impact

Attempted User Privilege Gain

CVE-2017-11878:

CVSS base score 7.8

CVSS impact score 5.9

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

Rule checks for an attempt to exploit a use after free vulnerability in Microsoft Excel. CVE-2017-11878: Microsoft Excel 2007 Service Pack 3, Microsoft Excel 2010 Service Pack 2, Microsoft Excel 2013 Service Pack 1, Microsoft Excel 2013 RT Service Pack 1, Microsoft Excel 2016, Microsoft Office Compatibility Pack Service Pack 3, and Microsoft Excel Viewer 2007 Service Pack 3 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Excel Memory Corruption Vulnerability".

Affected systems

  • microsoft excel 2013
  • microsoft excel 2016
  • microsoft excel_2007 -
  • microsoft excel_2010 *
  • microsoft excel2013rt -
  • microsoft excel_viewer 2007
  • microsoft officecompatibilitypack -

Ease of attack

CVE-2017-11878:

Access Vector

Access Complexity

Authentication

False positives

Not known

False negatives

Not known

Corrective action

Update Microsoft Excel to the latest version.

Contributors

  • Cisco's Talos Intelligence Group

Additional References