Think you have a false positive on this rule?

Sid 1-46602

Message

FILE-OFFICE Microsoft Outlook use-after-free vulnerability attempt

Summary

This event is generated when an attempt to exploit a use after free vulnerability in Outlook 2013 or 2016 is detected

Impact

Attempted Administrator Privilege Gain

CVE-2018-8161:

CVSS base score 7.8

CVSS impact score 5.9

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

Successful exploitation of this vulnerability could result in Remote Code Execution. CVE-2018-8161: A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory, aka "Microsoft Office Remote Code Execution Vulnerability." This affects Microsoft Word, Word, Microsoft Office, Microsoft SharePoint. This CVE ID is unique from CVE-2018-8157, CVE-2018-8158.

Affected systems

  • microsoft office 2010
  • microsoft office 2013
  • microsoft office 2016
  • microsoft officewebapps 2010
  • microsoft officewebapps 2013
  • microsoft sharepoint_server 2010
  • microsoft sharepoint_server 2013
  • microsoft sharepoint_server 2016
  • microsoft word 2010
  • microsoft word 2013
  • microsoft word 2016

Ease of attack

Simple

False positives

N/A

False negatives

N/A

Corrective action

Upgrade to the fixed version of Microsoft Outlook

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8161