Think you have a false positive on this rule?

Sid 1-49494

Message

FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt

Summary

This event is generated when an attempt is made to exploit a remote code execution vulnerability in the OLEAUT32 library.

Impact

Attempted User Privilege Gain

CVE-2012-1856:

CVSS base score 9.3

CVSS impact score 10.0

CVSS exploitability score 8.6

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

CVE-2013-1313:

CVSS base score 9.3

CVSS impact score 10.0

CVSS exploitability score 8.6

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Detailed information

CVE-2012-1856: The TabStrip ActiveX control in the Common Controls in MSCOMCTL.OCX in Microsoft Office 2003 SP3, Office 2003 Web Components SP3, Office 2007 SP2 and SP3, Office 2010 SP1, SQL Server 2000 SP4, SQL Server 2005 SP4, SQL Server 2008 SP2, SP3, R2, R2 SP1, and R2 SP2, Commerce Server 2002 SP4, Commerce Server 2007 SP2, Commerce Server 2009 Gold and R2, Host Integration Server 2004 SP1, Visual FoxPro 8.0 SP1, Visual FoxPro 9.0 SP2, and Visual Basic 6.0 Runtime allows remote attackers to execute arbitrary code via a crafted (1) document or (2) web page that triggers system-state corruption, aka "MSCOMCTL.OCX RCE Vulnerability."

CVE-2013-1313: Object Linking and Embedding (OLE) Automation in Microsoft Windows XP SP3 does not properly allocate memory, which allows remote attackers to execute arbitrary code via a crafted RTF document, aka "OLE Automation Remote Code Execution Vulnerability."

Affected systems

  • microsoft commerce_server 2002
  • microsoft commerce_server 2007
  • microsoft commerce_server 2009
  • microsoft hostintegrationserver 2004
  • microsoft office 2003
  • microsoft office 2007
  • microsoft office 2010
  • microsoft officewebcomponents 2003
  • microsoft sql_server 2000
  • microsoft sql_server 2005
  • microsoft sql_server 2008
  • microsoft visual_basic 6.0
  • microsoft visual_foxpro 8.0
  • microsoft visual_foxpro 9.0
  • microsoft windows_xp *

Ease of attack

CVE-2012-1856:

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

CVE-2013-1313:

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

False positives

False negatives

Corrective action

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • technet.microsoft.com/en-us/security/bulletin/MS12-060
  • technet.microsoft.com/en-us/security/bulletin/MS13-020