Think you have a false positive on this rule?

Sid 1-50086

Message

FILE-OFFICE Microsoft Windows GDI EMR_POLYTEXTOUTW out-of-bounds read attempt

Summary

This event is generated when an Office document that contains a specially crafted EMF which exploits CVE-2019-0882 is detected.

Impact

Information disclosure

Detailed information

Affected systems

Ease of attack

Simple

False positives

None known

False negatives

None known

Corrective action

Isolate and remediate the affected system in accordance with your organization's incident response policy.

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • CVE-2019-0882
  • portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0882