Think you have a false positive on this rule?

Sid 1-45402

Message

FILE-OFFICE Microsoft Word memory corruption exploit attempt

Summary

This event is generated when an attacker attempts to exploit a memory corruption vulnerability in Microsoft Word.

Impact

Potential user access to the victim's machine

CVE-2018-0797:

CVSS base score

CVSS impact score

CVSS exploitability score

Confidentiality Impact

Integrity Impact

Availability Impact

Detailed information

Rule checks for a memory corruption exploit used against Microsoft Word. CVE-2018-0797: Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability due to the way RTF content is handled, aka "Microsoft Word Memory Corruption Vulnerability".

Affected systems

Ease of attack

Hard

False positives

Not known

False negatives

Not known

Corrective action

Implement all patches referenced here: portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0797

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0797