FILE-OFFICE -- Snort detected traffic targeting vulnerabilities in files belonging to the Microsoft Office suite of software (Excel, PowerPoint, Word, Visio, Access, Outlook, etc.).
FILE-OFFICE Microsoft Office Equation Editor stack buffer overflow attempt
This rule detects the attempted download of an RTF file containing embedded Microsoft Equation Editor OLE data by searching for an object with the obfuscated class type of "Equation.3".
What To Look For
This rule detects the attempted download of an RTF file containing embedded Microsoft Equation Editor OLE data.
No public information
No known false positives
Cisco Talos Intelligence Group
MITRE ATT&CK Framework
Technique: Exploitation for Client Execution
For reference, see the MITRE ATT&CK vulnerability types here:
Buffer Overflows occur when a memory location is filled past its expected boundaries. Computer attackers target systems without proper terminating conditions on buffers, which then write the additional information in other locations in memory, overwriting what is there. This could corrupt the data, making the system behave erratically or crash. The new information could include malicious executable code, which might be executed.
CVE Additional Information
CVE-2017-11882Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
||Ease of Access||