Think you have a false positive on this rule?

Sid 1-46182

Message

FILE-OFFICE Microsoft Office Excel graphics remote code execution attempt

Summary

This event is generated when graphics related remote code execution is attempted in MS Excel

Impact

Misc activity

CVE-2018-1028:

CVSS base score 8.8

CVSS impact score 5.9

CVSS exploitability score 2.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

CVE-2018-1028: A remote code execution vulnerability exists when the Office graphics component improperly handles specially crafted embedded fonts, aka "Microsoft Office Graphics Remote Code Execution Vulnerability." This affects Word, Microsoft Office, Microsoft SharePoint, Excel, Microsoft SharePoint Server.

Affected systems

  • microsoft excel_services -
  • microsoft office 2013
  • microsoft office 2013_rt
  • microsoft office 2016
  • microsoft office_2010 *
  • microsoft officewebapps 2010
  • microsoft officewebapps 2013
  • microsoft sharepointenterpriseserver 2013
  • microsoft sharepointenterpriseserver 2016
  • microsoft wordautomationservices -

Ease of attack

CVE-2018-1028:

Access Vector

Access Complexity

Authentication

False positives

False negatives

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1028