{"id": "OPENVAS:1361412562310805811", "bulletinFamily": "scanner", "title": "Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)", "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "published": "2015-07-15T00:00:00", "modified": "2018-10-12T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805811", "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "references": ["https://support.microsoft.com/en-us/kb/3054990", "https://support.microsoft.com/en-us/kb/3054996", "https://support.microsoft.com/en-us/kb/3054973", "https://technet.microsoft.com/en-us/library/security/MS15-070", "https://technet.microsoft.com/en-us/security/bulletin/ms15-070"], "cvelist": ["CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380"], "type": "openvas", "lastseen": "2018-10-22T16:38:12", "history": [{"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "75312e73c53be7d71f723d5e07ad51e82262e9c997914ed84544fc59545c2d3c", "hashmap": [{"hash": "bb6754d79f2132b0e347144186a9bc7d", "key": "references"}, {"hash": "9bc2513a9afb621223fc7b827b4730e3", "key": "description"}, {"hash": "dbaad86219df8ed5ae8594dfb7671a12", "key": "sourceData"}, {"hash": "1bd2437e51c65f396d573496bf505abf", "key": "modified"}, {"hash": "8bc4afcfb2c1cc55ffb18933e29b9f9e", "key": "title"}, {"hash": "b0ca152f2b27a812e2f2b87d3fe780f8", "key": "published"}, {"hash": "617e6f50c56eaa4331691c7265607b87", "key": "cvelist"}, {"hash": "361910b6fb469730e56758bd54ea77df", "key": "pluginID"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "edb0556a59a18ed6b6e2464eb93a43b5", "key": "href"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805811", "id": "OPENVAS:1361412562310805811", "lastseen": "2018-08-30T19:21:48", "modified": "2017-01-20T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "1361412562310805811", "published": "2015-07-15T00:00:00", "references": ["https://support.microsoft.com/en-us/kb/3054990", "https://support.microsoft.com/en-us/kb/3054996", "https://support.microsoft.com/en-us/kb/3054973", "https://technet.microsoft.com/en-us/library/security/MS15-070"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_word_ms15-070.nasl 5053 2017-01-20 13:10:56Z cfi $\n#\n# Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805811\");\n script_version(\"$Revision: 5053 $\");\n script_cve_id(\"CVE-2015-2379\", \"CVE-2015-2380\", \"CVE-2015-2424\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-01-20 14:10:56 +0100 (Fri, 20 Jan 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-15 10:46:09 +0530 (Wed, 15 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-070.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the vulnerable file version and check\n appropriate patch is applied or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to improper handling\n of files in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\n\n Impact Level: System/Application\");\n\n script_tag(name:\"affected\", value:\"\n Microsoft Word 2007 Service Pack 3 and prior,\n Microsoft Word 2010 Service Pack 2 and prior,\n Microsoft Word 2013 Service Pack 1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and update mentioned hotfixes in the advisory from the\n below link, https://technet.microsoft.com/en-us/security/bulletin/ms15-070\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054996\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054973\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054990\");\n script_xref(name : \"URL\" , value : \"https://technet.microsoft.com/en-us/library/security/MS15-070\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/Word/Version\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n## variable Initialization\nwinwordVer = \"\";\n\nwinwordVer = get_kb_item(\"SMB/Office/Word/Version\");\n\n## Microsoft Office Word 2007/2010/2013\nif(winwordVer && winwordVer =~ \"^(12|14|15).*\")\n{\n if(version_in_range(version:winwordVer, test_version:\"12.0\", test_version2:\"12.0.6726.4999\") ||\n version_in_range(version:winwordVer, test_version:\"14.0\", test_version2:\"14.0.7153.5001\") ||\n version_in_range(version:winwordVer, test_version:\"15.0\", test_version2:\"15.0.4737.1002\"))\n {\n security_message(0);\n exit(0);\n }\n}\n", "title": "Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)", "type": "openvas", "viewCount": 0}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2018-08-30T19:21:48"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "edition": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "adf5a0e5f1c323e663acb18624b2ef675218c840368b9ddb19e513bb34ce472d", "hashmap": [{"hash": "bb6754d79f2132b0e347144186a9bc7d", "key": "references"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "704c887ec56b5c516fa7b02953bad633", "key": "modified"}, {"hash": "9bc2513a9afb621223fc7b827b4730e3", "key": "description"}, {"hash": "8bc4afcfb2c1cc55ffb18933e29b9f9e", "key": "title"}, {"hash": "b0ca152f2b27a812e2f2b87d3fe780f8", "key": "published"}, {"hash": "617e6f50c56eaa4331691c7265607b87", "key": "cvelist"}, {"hash": "361910b6fb469730e56758bd54ea77df", "key": "pluginID"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "d86ac9c74422b7d298d5ec74bf83708e", "key": "sourceData"}, {"hash": "edb0556a59a18ed6b6e2464eb93a43b5", "key": "href"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805811", "id": "OPENVAS:1361412562310805811", "lastseen": "2018-09-05T11:35:25", "modified": "2018-09-04T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "1361412562310805811", "published": "2015-07-15T00:00:00", "references": ["https://support.microsoft.com/en-us/kb/3054990", "https://support.microsoft.com/en-us/kb/3054996", "https://support.microsoft.com/en-us/kb/3054973", "https://technet.microsoft.com/en-us/library/security/MS15-070"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_word_ms15-070.nasl 11227 2018-09-04 13:25:37Z mmartin $\n#\n# Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805811\");\n script_version(\"$Revision: 11227 $\");\n script_cve_id(\"CVE-2015-2379\", \"CVE-2015-2380\", \"CVE-2015-2424\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-04 15:25:37 +0200 (Tue, 04 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-15 10:46:09 +0530 (Wed, 15 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-070.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the vulnerable file version and check\n appropriate patch is applied or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to improper handling\n of files in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\n\n Impact Level: System/Application\");\n\n script_tag(name:\"affected\", value:\"Microsoft Word 2007 Service Pack 3 and prior,\n Microsoft Word 2010 Service Pack 2 and prior,\n Microsoft Word 2013 Service Pack 1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and update mentioned hotfixes in the advisory from the\n below link, https://technet.microsoft.com/en-us/security/bulletin/ms15-070\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054996\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054973\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054990\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/MS15-070\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/Word/Version\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nwinwordVer = get_kb_item(\"SMB/Office/Word/Version\");\n\n## Microsoft Office Word 2007/2010/2013\nif(winwordVer && winwordVer =~ \"^(12|14|15).*\")\n{\n if(version_in_range(version:winwordVer, test_version:\"12.0\", test_version2:\"12.0.6726.4999\") ||\n version_in_range(version:winwordVer, test_version:\"14.0\", test_version2:\"14.0.7153.5001\") ||\n version_in_range(version:winwordVer, test_version:\"15.0\", test_version2:\"15.0.4737.1002\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "title": "Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)", "type": "openvas", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 4, "lastseen": "2018-09-05T11:35:25"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "edition": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "07f1af6b15f2505dc85e1f9d70626636d35883999d6c163aba28aea12185a88d", "hashmap": [{"hash": "bb6754d79f2132b0e347144186a9bc7d", "key": "references"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "9bc2513a9afb621223fc7b827b4730e3", "key": "description"}, {"hash": "dbaad86219df8ed5ae8594dfb7671a12", "key": "sourceData"}, {"hash": "1bd2437e51c65f396d573496bf505abf", "key": "modified"}, {"hash": "8bc4afcfb2c1cc55ffb18933e29b9f9e", "key": "title"}, {"hash": "b0ca152f2b27a812e2f2b87d3fe780f8", "key": "published"}, {"hash": "617e6f50c56eaa4331691c7265607b87", "key": "cvelist"}, {"hash": "361910b6fb469730e56758bd54ea77df", "key": "pluginID"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "edb0556a59a18ed6b6e2464eb93a43b5", "key": "href"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805811", "id": "OPENVAS:1361412562310805811", "lastseen": "2017-07-02T21:11:46", "modified": "2017-01-20T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "1361412562310805811", "published": "2015-07-15T00:00:00", "references": ["https://support.microsoft.com/en-us/kb/3054990", "https://support.microsoft.com/en-us/kb/3054996", "https://support.microsoft.com/en-us/kb/3054973", "https://technet.microsoft.com/en-us/library/security/MS15-070"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_word_ms15-070.nasl 5053 2017-01-20 13:10:56Z cfi $\n#\n# Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805811\");\n script_version(\"$Revision: 5053 $\");\n script_cve_id(\"CVE-2015-2379\", \"CVE-2015-2380\", \"CVE-2015-2424\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-01-20 14:10:56 +0100 (Fri, 20 Jan 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-15 10:46:09 +0530 (Wed, 15 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-070.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the vulnerable file version and check\n appropriate patch is applied or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to improper handling\n of files in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\n\n Impact Level: System/Application\");\n\n script_tag(name:\"affected\", value:\"\n Microsoft Word 2007 Service Pack 3 and prior,\n Microsoft Word 2010 Service Pack 2 and prior,\n Microsoft Word 2013 Service Pack 1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and update mentioned hotfixes in the advisory from the\n below link, https://technet.microsoft.com/en-us/security/bulletin/ms15-070\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054996\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054973\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054990\");\n script_xref(name : \"URL\" , value : \"https://technet.microsoft.com/en-us/library/security/MS15-070\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/Word/Version\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n## variable Initialization\nwinwordVer = \"\";\n\nwinwordVer = get_kb_item(\"SMB/Office/Word/Version\");\n\n## Microsoft Office Word 2007/2010/2013\nif(winwordVer && winwordVer =~ \"^(12|14|15).*\")\n{\n if(version_in_range(version:winwordVer, test_version:\"12.0\", test_version2:\"12.0.6726.4999\") ||\n version_in_range(version:winwordVer, test_version:\"14.0\", test_version2:\"14.0.7153.5001\") ||\n version_in_range(version:winwordVer, test_version:\"15.0\", test_version2:\"15.0.4737.1002\"))\n {\n security_message(0);\n exit(0);\n }\n}\n", "title": "Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)", "type": "openvas", "viewCount": 0}, "differentElements": ["cvss"], "edition": 1, "lastseen": "2017-07-02T21:11:46"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "edition": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "073c7e4f6215241ed450977e53ec907e0eaf26eef4ec2cad1967a5332681230e", "hashmap": [{"hash": "bb6754d79f2132b0e347144186a9bc7d", "key": "references"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "9bc2513a9afb621223fc7b827b4730e3", "key": "description"}, {"hash": "4bc861fee4623afb10f01338b2d46399", "key": "sourceData"}, {"hash": "8bc4afcfb2c1cc55ffb18933e29b9f9e", "key": "title"}, {"hash": "b0ca152f2b27a812e2f2b87d3fe780f8", "key": "published"}, {"hash": "617e6f50c56eaa4331691c7265607b87", "key": "cvelist"}, {"hash": "4f39b12f12b9cfc524b1a9ccce1883fb", "key": "modified"}, {"hash": "361910b6fb469730e56758bd54ea77df", "key": "pluginID"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "edb0556a59a18ed6b6e2464eb93a43b5", "key": "href"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805811", "id": "OPENVAS:1361412562310805811", "lastseen": "2018-09-26T14:18:07", "modified": "2018-09-26T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "1361412562310805811", "published": "2015-07-15T00:00:00", "references": ["https://support.microsoft.com/en-us/kb/3054990", "https://support.microsoft.com/en-us/kb/3054996", "https://support.microsoft.com/en-us/kb/3054973", "https://technet.microsoft.com/en-us/library/security/MS15-070"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_word_ms15-070.nasl 11612 2018-09-26 05:47:26Z cfischer $\n#\n# Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805811\");\n script_version(\"$Revision: 11612 $\");\n script_cve_id(\"CVE-2015-2379\", \"CVE-2015-2380\", \"CVE-2015-2424\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-26 07:47:26 +0200 (Wed, 26 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-15 10:46:09 +0530 (Wed, 15 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-070.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to improper handling\n of files in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Word 2007 Service Pack 3 and prior,\n Microsoft Word 2010 Service Pack 2 and prior,\n Microsoft Word 2013 Service Pack 1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and update mentioned hotfixes in the advisory from the\n below link, https://technet.microsoft.com/en-us/security/bulletin/ms15-070\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054996\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054973\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054990\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/MS15-070\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/Word/Version\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nwinwordVer = get_kb_item(\"SMB/Office/Word/Version\");\n\n## Microsoft Office Word 2007/2010/2013\nif(winwordVer && winwordVer =~ \"^(12|14|15).*\")\n{\n if(version_in_range(version:winwordVer, test_version:\"12.0\", test_version2:\"12.0.6726.4999\") ||\n version_in_range(version:winwordVer, test_version:\"14.0\", test_version2:\"14.0.7153.5001\") ||\n version_in_range(version:winwordVer, test_version:\"15.0\", test_version2:\"15.0.4737.1002\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "title": "Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)", "type": "openvas", "viewCount": 0}, "differentElements": ["references", "modified", "sourceData"], "edition": 6, "lastseen": "2018-09-26T14:18:07"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "07f1af6b15f2505dc85e1f9d70626636d35883999d6c163aba28aea12185a88d", "hashmap": [{"hash": "bb6754d79f2132b0e347144186a9bc7d", "key": "references"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "9bc2513a9afb621223fc7b827b4730e3", "key": "description"}, {"hash": "dbaad86219df8ed5ae8594dfb7671a12", "key": "sourceData"}, {"hash": "1bd2437e51c65f396d573496bf505abf", "key": "modified"}, {"hash": "8bc4afcfb2c1cc55ffb18933e29b9f9e", "key": "title"}, {"hash": "b0ca152f2b27a812e2f2b87d3fe780f8", "key": "published"}, {"hash": "617e6f50c56eaa4331691c7265607b87", "key": "cvelist"}, {"hash": "361910b6fb469730e56758bd54ea77df", "key": "pluginID"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "edb0556a59a18ed6b6e2464eb93a43b5", "key": "href"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805811", "id": "OPENVAS:1361412562310805811", "lastseen": "2018-09-01T23:49:22", "modified": "2017-01-20T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "1361412562310805811", "published": "2015-07-15T00:00:00", "references": ["https://support.microsoft.com/en-us/kb/3054990", "https://support.microsoft.com/en-us/kb/3054996", "https://support.microsoft.com/en-us/kb/3054973", "https://technet.microsoft.com/en-us/library/security/MS15-070"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_word_ms15-070.nasl 5053 2017-01-20 13:10:56Z cfi $\n#\n# Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805811\");\n script_version(\"$Revision: 5053 $\");\n script_cve_id(\"CVE-2015-2379\", \"CVE-2015-2380\", \"CVE-2015-2424\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-01-20 14:10:56 +0100 (Fri, 20 Jan 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-15 10:46:09 +0530 (Wed, 15 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-070.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the vulnerable file version and check\n appropriate patch is applied or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to improper handling\n of files in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\n\n Impact Level: System/Application\");\n\n script_tag(name:\"affected\", value:\"\n Microsoft Word 2007 Service Pack 3 and prior,\n Microsoft Word 2010 Service Pack 2 and prior,\n Microsoft Word 2013 Service Pack 1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and update mentioned hotfixes in the advisory from the\n below link, https://technet.microsoft.com/en-us/security/bulletin/ms15-070\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054996\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054973\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054990\");\n script_xref(name : \"URL\" , value : \"https://technet.microsoft.com/en-us/library/security/MS15-070\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/Word/Version\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n## variable Initialization\nwinwordVer = \"\";\n\nwinwordVer = get_kb_item(\"SMB/Office/Word/Version\");\n\n## Microsoft Office Word 2007/2010/2013\nif(winwordVer && winwordVer =~ \"^(12|14|15).*\")\n{\n if(version_in_range(version:winwordVer, test_version:\"12.0\", test_version2:\"12.0.6726.4999\") ||\n version_in_range(version:winwordVer, test_version:\"14.0\", test_version2:\"14.0.7153.5001\") ||\n version_in_range(version:winwordVer, test_version:\"15.0\", test_version2:\"15.0.4737.1002\"))\n {\n security_message(0);\n exit(0);\n }\n}\n", "title": "Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)", "type": "openvas", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 3, "lastseen": "2018-09-01T23:49:22"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "edition": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "b4bcf45979b3e72643dcd2854c9b1fd865f162b3d4ee3a90ad37425711b8e428", "hashmap": [{"hash": "c803851578a6a1325f38a675a19c11f6", "key": "sourceData"}, {"hash": "bb6754d79f2132b0e347144186a9bc7d", "key": "references"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "9bc2513a9afb621223fc7b827b4730e3", "key": "description"}, {"hash": "8bc4afcfb2c1cc55ffb18933e29b9f9e", "key": "title"}, {"hash": "b0ca152f2b27a812e2f2b87d3fe780f8", "key": "published"}, {"hash": "617e6f50c56eaa4331691c7265607b87", "key": "cvelist"}, {"hash": "361910b6fb469730e56758bd54ea77df", "key": "pluginID"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "c546ec5a83c8267a23fb611906cdec7f", "key": "modified"}, {"hash": "edb0556a59a18ed6b6e2464eb93a43b5", "key": "href"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805811", "id": "OPENVAS:1361412562310805811", "lastseen": "2018-09-17T13:35:18", "modified": "2018-09-17T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "1361412562310805811", "published": "2015-07-15T00:00:00", "references": ["https://support.microsoft.com/en-us/kb/3054990", "https://support.microsoft.com/en-us/kb/3054996", "https://support.microsoft.com/en-us/kb/3054973", "https://technet.microsoft.com/en-us/library/security/MS15-070"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_word_ms15-070.nasl 11424 2018-09-17 08:03:52Z mmartin $\n#\n# Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805811\");\n script_version(\"$Revision: 11424 $\");\n script_cve_id(\"CVE-2015-2379\", \"CVE-2015-2380\", \"CVE-2015-2424\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-17 10:03:52 +0200 (Mon, 17 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-15 10:46:09 +0530 (Wed, 15 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-070.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the vulnerable file version and check\n appropriate patch is applied or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to improper handling\n of files in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Word 2007 Service Pack 3 and prior,\n Microsoft Word 2010 Service Pack 2 and prior,\n Microsoft Word 2013 Service Pack 1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and update mentioned hotfixes in the advisory from the\n below link, https://technet.microsoft.com/en-us/security/bulletin/ms15-070\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054996\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054973\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054990\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/MS15-070\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/Word/Version\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nwinwordVer = get_kb_item(\"SMB/Office/Word/Version\");\n\n## Microsoft Office Word 2007/2010/2013\nif(winwordVer && winwordVer =~ \"^(12|14|15).*\")\n{\n if(version_in_range(version:winwordVer, test_version:\"12.0\", test_version2:\"12.0.6726.4999\") ||\n version_in_range(version:winwordVer, test_version:\"14.0\", test_version2:\"14.0.7153.5001\") ||\n version_in_range(version:winwordVer, test_version:\"15.0\", test_version2:\"15.0.4737.1002\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "title": "Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)", "type": "openvas", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 5, "lastseen": "2018-09-17T13:35:18"}], "edition": 7, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "617e6f50c56eaa4331691c7265607b87"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "description", "hash": "9bc2513a9afb621223fc7b827b4730e3"}, {"key": "href", "hash": "edb0556a59a18ed6b6e2464eb93a43b5"}, {"key": "modified", "hash": "8be90a922e3fddc17514b9fd17f39e9b"}, {"key": "naslFamily", "hash": "c9898bc973bfffca5119f1a3bfa73a8d"}, {"key": "pluginID", "hash": "361910b6fb469730e56758bd54ea77df"}, {"key": "published", "hash": "b0ca152f2b27a812e2f2b87d3fe780f8"}, {"key": "references", "hash": "4fc7072ed00407c84835ca3fea84a442"}, {"key": "reporter", "hash": "1e898993712db5cf9f9a110102684025"}, {"key": "sourceData", "hash": "6f07f92fd3746e891ea9f8dc6702f4c4"}, {"key": "title", "hash": "8bc4afcfb2c1cc55ffb18933e29b9f9e"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "hash": "96cb83551794011c23acbca9801f131204fce96e76a195b8cd15427f45e2d9c3", "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_word_ms15-070.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805811\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-2379\", \"CVE-2015-2380\", \"CVE-2015-2424\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-15 10:46:09 +0530 (Wed, 15 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-070.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to improper handling\n of files in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Word 2007 Service Pack 3 and prior,\n Microsoft Word 2010 Service Pack 2 and prior,\n Microsoft Word 2013 Service Pack 1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and install the hotfixes from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054996\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054973\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054990\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/MS15-070\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/Word/Version\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms15-070\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nwinwordVer = get_kb_item(\"SMB/Office/Word/Version\");\n\n## Microsoft Office Word 2007/2010/2013\nif(winwordVer && winwordVer =~ \"^(12|14|15).*\")\n{\n if(version_in_range(version:winwordVer, test_version:\"12.0\", test_version2:\"12.0.6726.4999\") ||\n version_in_range(version:winwordVer, test_version:\"14.0\", test_version2:\"14.0.7153.5001\") ||\n version_in_range(version:winwordVer, test_version:\"15.0\", test_version2:\"15.0.4737.1002\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "pluginID": "1361412562310805811"}

{"cve": [{"lastseen": "2018-10-13T11:06:58", "references": ["https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-070", "http://www.securitytracker.com/id/1032899"], "description": "Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, and Word 2013 RT SP1 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka \"Microsoft Office Memory Corruption Vulnerability.\"", "edition": 3, "reporter": "NVD", "published": "2015-07-14T17:59:14", "title": "CVE-2015-2380", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2015-2380"], "scanner": [], "modified": "2018-10-12T18:09:19", "cpe": ["cpe:/a:microsoft:word:2013:sp1", "cpe:/a:microsoft:word:2010:sp2:~~~~x64~", "cpe:/a:microsoft:word:2013:sp1:~~rt~~~", "cpe:/a:microsoft:word:2010:sp2:~~~x86~~", "cpe:/a:microsoft:office:2010:sp2:~~~~x64~", "cpe:/a:microsoft:office:2010:sp2:~~~~x86~", "cpe:/a:microsoft:word:2007:sp3"], "id": "CVE-2015-2380", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-13T11:06:58", "references": ["https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-070", "http://www.securitytracker.com/id/1032899"], "description": "Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Office for Mac 2011, and Word Viewer allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka \"Microsoft Office Memory Corruption Vulnerability.\"", "edition": 3, "reporter": "NVD", "published": "2015-07-14T17:59:13", "title": "CVE-2015-2379", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2015-2379"], "scanner": [], "modified": "2018-10-12T18:09:18", "cpe": ["cpe:/a:microsoft:word:2013:sp1", "cpe:/a:microsoft:office:2011::~~~mac~~", "cpe:/a:microsoft:word_viewer", "cpe:/a:microsoft:word:2013:sp1:~~rt~~~", "cpe:/a:microsoft:office:2010:sp2:~~~~x64~", "cpe:/a:microsoft:office:2010:sp2:~~~~x86~", "cpe:/a:microsoft:word:2007:sp3"], "id": "CVE-2015-2379", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-13T11:06:58", "references": ["https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-070", "http://www.securitytracker.com/id/1032899"], "description": "Microsoft PowerPoint 2007 SP3, Word 2007 SP3, PowerPoint 2010 SP2, Word 2010 SP2, PowerPoint 2013 SP1, Word 2013 SP1, and PowerPoint 2013 RT SP1 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka \"Microsoft Office Memory Corruption Vulnerability.\"", "edition": 3, "reporter": "NVD", "published": "2015-07-14T17:59:35", "title": "CVE-2015-2424", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2015-2424"], "scanner": [], "modified": "2018-10-12T18:09:28", "cpe": ["cpe:/a:microsoft:word:2013:sp1", "cpe:/a:microsoft:powerpoint:2013:sp1:~~rt~~~", "cpe:/a:microsoft:powerpoint:2007:sp3", "cpe:/a:microsoft:word:2010:sp2:~~~~x64~", "cpe:/a:microsoft:word:2010:sp2:~~~x86~~", "cpe:/a:microsoft:powerpoint:2010:sp2", "cpe:/a:microsoft:word:2007:sp3", "cpe:/a:microsoft:powerpoint:2013:sp1"], "id": "CVE-2015-2424", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "symantec": [{"lastseen": "2018-03-14T22:42:47", "references": [], "description": "### Description\n\nMicrosoft Office is prone to a remote memory-corruption vulnerability because it fails to properly handle objects in memory. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Office 2010 Service Pack 2 (32-bit editions) \n * Microsoft Office 2010 Service Pack 2 (64-bit editions) \n * Microsoft Office for Mac 2011 \n * Microsoft Word 2007 SP3 \n * Microsoft Word 2010 Service Pack 2 (32-bit editions) \n * Microsoft Word 2010 Service Pack 2 (64-bit editions) \n * Microsoft Word 2013 RT Service Pack 1 \n * Microsoft Word 2013 Service Pack 1 (32-bit editions) \n * Microsoft Word 2013 Service Pack 1 (64-bit editions) \n * Microsoft Word Viewer \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "reporter": "Symantec Security Response", "published": "2015-07-14T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "symantec", "title": "Microsoft Office CVE-2015-2379 Memory Corruption Vulnerability", "bulletinFamily": "software", "affectedSoftware": [{"name": "Microsoft Word", "version": "2010 Service Pack 2 (32-bit editions) ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2007 SP3 ", "operator": "eq"}, {"name": "Microsoft Office", "version": "2010 Service Pack 2 (32-bit editions) ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2013 Service Pack 1 (32-bit editions) ", "operator": "eq"}, {"name": "Microsoft Office", "version": "2010 Service Pack 2 (64-bit editions) ", "operator": "eq"}, {"name": "Microsoft Office for Mac", "version": "2011 ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2013 Service Pack 1 (64-bit editions) ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2013 RT Service Pack 1 ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2010 Service Pack 2 (64-bit editions) ", "operator": "eq"}], "cvelist": ["CVE-2015-2379"], "modified": "2015-07-14T00:00:00", "id": "SMNTC-75645", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/75645", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-14T00:21:44", "references": [], "edition": 2, "description": "### Description\n\nMicrosoft Office is prone to a remote memory-corruption vulnerability because it fails to properly handle objects in memory. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft PowerPoint 2007 SP3 \n * Microsoft PowerPoint 2010 Service Pack 2 (32-bit editions) \n * Microsoft PowerPoint 2010 Service Pack 2 (64-bit editions) \n * Microsoft PowerPoint 2013 RT Service Pack 1 \n * Microsoft PowerPoint 2013 Service Pack 1 (32-bit editions) \n * Microsoft PowerPoint 2013 Service Pack 1 (64-bit editions) \n * Microsoft Word 2007 SP3 \n * Microsoft Word 2010 Service Pack 2 (32-bit editions) \n * Microsoft Word 2010 Service Pack 2 (64-bit editions) \n * Microsoft Word 2013 Service Pack 1 (32-bit editions) \n * Microsoft Word 2013 Service Pack 1 (64-bit editions) \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "reporter": "Symantec Security Response", "published": "2015-07-14T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "symantec", "title": "Microsoft Office CVE-2015-2424 Memory Corruption Vulnerability", "bulletinFamily": "software", "affectedSoftware": [{"name": "Microsoft PowerPoint", "version": "2007 SP3 ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2010 Service Pack 2 (32-bit editions) ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2007 SP3 ", "operator": "eq"}, {"name": "Microsoft PowerPoint", "version": "2010 Service Pack 2 (32-bit editions) ", "operator": "eq"}, {"name": "Microsoft PowerPoint", "version": "2013 Service Pack 1 (32-bit editions) ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2013 Service Pack 1 (32-bit editions) ", "operator": "eq"}, {"name": "Microsoft PowerPoint", "version": "2013 Service Pack 1 (64-bit editions) ", "operator": "eq"}, {"name": "Microsoft PowerPoint", "version": "2013 RT Service Pack 1 ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2013 Service Pack 1 (64-bit editions) ", "operator": "eq"}, {"name": "Microsoft PowerPoint", "version": "2010 Service Pack 2 (64-bit editions) ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2010 Service Pack 2 (64-bit editions) ", "operator": "eq"}], "cvelist": ["CVE-2015-2424"], "modified": "2015-07-14T00:00:00", "id": "SMNTC-75744", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/75744", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2018-09-01T23:41:54", "references": ["https://technet.microsoft.com/library/security/ms15-070"], "pluginID": "84739", "description": "The remote Windows host has a version of Microsoft Office, Microsoft Word, Microsoft Excel, Microsoft PowerPoint, SharePoint Server, or Microsoft Office Compatibility Pack installed that is affected by multiple vulnerabilities :\n\n - An ASLR bypass vulnerability exists in Microsoft Excel due to memory being released in an unintended manner. A remote attacker can exploit this by convincing a user to open a specially crafted Excel (.xls) file, allowing the attacker to more reliably predict the memory offsets of specific instructions in a given call stack. The attacker can then utilize this information to more easily exploit additional vulnerabilities.\n (CVE-2015-2375)\n\n - Multiple remote code execution vulnerabilities exist due to improper handling of objects in memory. A remote attacker can exploit these vulnerabilities by convincing a user to open a specially crafted file, resulting in the execution of arbitrary code in the context of the current user. (CVE-2015-2376, CVE-2015-2377, CVE-2015-2379, CVE-2015-2380, CVE-2015-2415, CVE-2015-2424)\n\n - A remote code execution vulnerability exists in Microsoft excel due to improper handling of the loading of dynamic link library (DLL) files. A remote attacker can exploit this vulnerability by placing a specially crafted DLL file in the user's current working directory and then convincing the user to launch a program designed to load the DLL, resulting in the execution of arbitrary code in the context of the current user.\n (CVE-2015-2378)", "edition": 6, "reporter": "Tenable", "published": "2015-07-14T00:00:00", "title": "MS15-070: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3072620)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "naslFamily": "Windows : Microsoft Bulletins", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2377", "CVE-2015-2378", "CVE-2015-2376", "CVE-2015-2375", "CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380", "CVE-2015-2415"], "modified": "2018-07-30T00:00:00", "cpe": ["cpe:/a:microsoft:sharepoint_server", "cpe:/a:microsoft:word", "cpe:/a:microsoft:word_viewer", "cpe:/a:microsoft:excel_viewer", "cpe:/a:microsoft:powerpoint", "cpe:/a:microsoft:office", "cpe:/a:microsoft:excel", "cpe:/a:microsoft:office_compatibility_pack"], "id": "SMB_NT_MS15-070.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84739", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84739);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/07/30 15:31:33\");\n\n script_cve_id(\n \"CVE-2015-2375\",\n \"CVE-2015-2376\",\n \"CVE-2015-2377\",\n \"CVE-2015-2378\",\n \"CVE-2015-2379\",\n \"CVE-2015-2380\",\n \"CVE-2015-2415\",\n \"CVE-2015-2424\"\n );\n #script_bugtraq_id();\n script_xref(name:\"MSFT\", value:\"MS15-070\");\n script_xref(name:\"MSKB\", value:\"2837612\");\n script_xref(name:\"MSKB\", value:\"2965208\");\n script_xref(name:\"MSKB\", value:\"2965209\");\n script_xref(name:\"MSKB\", value:\"2965281\");\n script_xref(name:\"MSKB\", value:\"2965283\");\n script_xref(name:\"MSKB\", value:\"3054861\");\n script_xref(name:\"MSKB\", value:\"3054949\");\n script_xref(name:\"MSKB\", value:\"3054958\");\n script_xref(name:\"MSKB\", value:\"3054963\");\n script_xref(name:\"MSKB\", value:\"3054968\");\n script_xref(name:\"MSKB\", value:\"3054971\");\n script_xref(name:\"MSKB\", value:\"3054973\");\n script_xref(name:\"MSKB\", value:\"3054981\");\n script_xref(name:\"MSKB\", value:\"3054990\");\n script_xref(name:\"MSKB\", value:\"3054996\");\n script_xref(name:\"MSKB\", value:\"3054999\");\n script_xref(name:\"IAVA\", value:\"2015-A-0163\");\n\n script_name(english:\"MS15-070: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3072620)\");\n script_summary(english:\"Checks the Office and SharePoint versions.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host has a version of Microsoft Office, Microsoft\nWord, Microsoft Excel, Microsoft PowerPoint, SharePoint Server, or\nMicrosoft Office Compatibility Pack installed that is affected by\nmultiple vulnerabilities :\n\n - An ASLR bypass vulnerability exists in Microsoft Excel\n due to memory being released in an unintended manner. A\n remote attacker can exploit this by convincing a user to\n open a specially crafted Excel (.xls) file, allowing the\n attacker to more reliably predict the memory offsets of\n specific instructions in a given call stack. The\n attacker can then utilize this information to more\n easily exploit additional vulnerabilities.\n (CVE-2015-2375)\n\n - Multiple remote code execution vulnerabilities exist\n due to improper handling of objects in memory. A remote\n attacker can exploit these vulnerabilities by convincing\n a user to open a specially crafted file, resulting in\n the execution of arbitrary code in the context of the\n current user. (CVE-2015-2376, CVE-2015-2377,\n CVE-2015-2379, CVE-2015-2380, CVE-2015-2415,\n CVE-2015-2424)\n\n - A remote code execution vulnerability exists in\n Microsoft excel due to improper handling of the loading\n of dynamic link library (DLL) files. A remote attacker\n can exploit this vulnerability by placing a specially\n crafted DLL file in the user's current working directory\n and then convincing the user to launch a program\n designed to load the DLL, resulting in the execution of\n arbitrary code in the context of the current user.\n (CVE-2015-2378)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://technet.microsoft.com/library/security/ms15-070\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Office 2007. Office 2010,\nOffice 2013, Word 2007, Word 2010, Word 2013, Excel 2007, Excel 2010,\nExcel 2013, PowerPoint 2007, PowerPoint 2010, PowerPoint 2013, Excel\nViewer, Word Viewer, Office Compatibility Pack, SharePoint Server\n2007, SharePoint Server 2010, and SharePoint Server 2013.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:powerpoint\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel_viewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word_viewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_compatibility_pack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"office_installed.nasl\", \"microsoft_sharepoint_installed.nbin\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nglobal_var bulletin, vuln;\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS15-070';\nkbs = make_list(\n 2837612, # SharePoint Server 2007 SP3\n 2965208, # Office Compat Pack SP3\n 2965209, # Excel Viewer 2007 SP3\n 2965281, # Excel 2007 SP3\n 2965283, # PowerPoint 2007 SP3\n 3054861, # SharePoint Server 2013 SP1\n 3054949, # Excel 2013 SP1\n 3054958, # Word Viewer\n 3054963, # PowerPoint 2010 SP2\n 3054968, # SharePoint Server 2010 SP2\n 3054971, # Office 2010 SP2\n 3054973, # Word 2010 SP2\n 3054981, # Excel 2010 SP2\n 3054990, # Word 2013 SP1\n 3054996, # Word 2007 SP3\n 3054999 # PowerPoint 2013 SP1\n);\n\n######################################################################\n# Main\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\", exit_code:1);\n\n# Get path information for Windows.\nwindir = hotfix_get_systemroot();\nif (isnull(windir)) exit(1, \"Failed to determine the location of %windir%.\");\nregistry_init();\n\n# Generic Office Checks\nfunction perform_office_checks()\n{\n local_var office_vers, office_sp, path;\n office_vers = hotfix_check_office_version();\n if (office_vers[\"12.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2007/SP\");\n if (!isnull(office_sp) && office_sp == 3)\n {\n path = hotfix_append_path(path:hotfix_get_officeprogramfilesdir(officever:\"12.0\"), value:\"Microsoft Office\\Office12\");\n if (hotfix_check_fversion(file:\"ppcore.dll\", version:\"12.0.6726.5000\", path:path, bulletin:bulletin, kb:\"2965283\", product:\"PowerPoint 2007 SP3\") == HCF_OLDER)\n vuln = TRUE;\n }\n }\n if (office_vers[\"14.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2010/SP\");\n if (!isnull(office_sp) && office_sp == 2)\n {\n path = hotfix_append_path(path:hotfix_get_officeprogramfilesdir(officever:\"14.0\"), value:\"Microsoft Office\\Office14\");\n if (hotfix_check_fversion(file:\"Wwlib.dll\", version:\"14.0.7153.5002\", path:path, bulletin:bulletin, kb:\"3054971\", product:\"Microsoft Office 2010\") == HCF_OLDER)\n vuln = TRUE;\n }\n }\n}\n\nfunction perform_office_product_checks()\n{\n local_var excel_checks, ppt_checks, word_checks, excel_vwr_checks, compat_checks, word_vwr_checks;\n\n ######################################################################\n # Excel\n ######################################################################\n excel_checks = make_array(\n \"12.0\", make_array(\"sp\", 3, \"version\", \"12.0.6723.5000\", \"kb\", \"2965281\"),\n \"14.0\", make_array(\"sp\", 2, \"version\", \"14.0.7153.5000\", \"kb\", \"3054981\"),\n \"15.0\", make_array(\"sp\", 1, \"version\", \"15.0.4737.1000\", \"kb\", \"3054949\")\n );\n if (hotfix_check_office_product(product:\"Excel\", checks:excel_checks, bulletin:bulletin))\n vuln = TRUE;\n\n ######################################################################\n # PowerPoint\n ######################################################################\n ppt_checks = make_array(\n \"14.0\", make_array(\"sp\", 2, \"version\", \"14.0.7138.5000\", \"kb\", \"3054963\"),\n \"15.0\", make_array(\"sp\", 1, \"version\", \"15.0.4737.1003\", \"kb\", \"3054999\")\n );\n if (hotfix_check_office_product(product:\"PowerPoint\", checks:ppt_checks, bulletin:bulletin))\n vuln = TRUE;\n\n ######################################################################\n # Word\n ######################################################################\n word_checks = make_array(\n \"12.0\", make_array(\"sp\", 3, \"version\", \"12.0.6726.5000\", \"kb\", \"3054996\"),\n \"14.0\", make_array(\"sp\", 2, \"version\", \"14.0.7153.5002\", \"kb\", \"3054973\"),\n \"15.0\", make_array(\"sp\", 1, \"version\", \"15.0.4737.1003\", \"kb\", \"3054990\")\n );\n if (hotfix_check_office_product(product:\"Word\", checks:word_checks, bulletin:bulletin))\n vuln = TRUE;\n\n ######################################################################\n # PowerPoint Viewer 2010\n # KB: 2956195 Fix Ver: 14.0.7149.5000\n ######################################################################\n excel_vwr_checks = make_array(\n \"12.0\", make_array(\"sp\", 3, \"version\", \"12.0.6723.5000\", \"kb\", \"2965209\")\n );\n if (hotfix_check_office_product(product:\"ExcelViewer\", display_name:\"Excel Viewer\", checks:excel_vwr_checks, bulletin:bulletin))\n vuln = TRUE;\n compat_checks = make_array(\n \"12.0\", make_array(\"sp\", 3, \"version\", \"12.0.6723.5000\", \"kb\", \"2965208\")\n );\n if (hotfix_check_office_product(product:\"ExcelCnv\", display_name:\"Office Compatibility Pack SP3\", checks:compat_checks, bulletin:bulletin))\n vuln = TRUE;\n word_vwr_checks = make_array(\n \"11.0\", make_array(\"version\", \"11.0.8419.0\", \"kb\", \"3054958\")\n );\n if (hotfix_check_office_product(product:\"WordViewer\", display_name:\"Word Viewer\", checks:word_vwr_checks, bulletin:bulletin))\n vuln = TRUE;\n}\n\n######################################################################\n# SharePoint\n######################################################################\nfunction perform_sharepoint_checks()\n{\n local_var sps_2007_path, sps_2007_sp, sps_2007_edition;\n local_var sps_2010_path, sps_2013_path, sps_2010_sp, sps_2013_sp, sps_2010_edition, sps_2013_edition;\n local_var installs, install, sp, path;\n local_var share, name, port, login, pass, domain, rc;\n local_var js, file, timestamp, kb, info;\n\n # Get installs of SharePoint\n sps_2007_path = NULL;\n sps_2010_path = NULL;\n sps_2013_path = NULL;\n sp = NULL;\n\n installs = get_installs(app_name:\"Microsoft SharePoint Server\");\n foreach install (installs[1])\n {\n if (install[\"Product\"] == \"2007\")\n {\n sps_2007_path = install[\"path\"];\n sps_2007_sp = install[\"SP\"];\n sps_2007_edition = install[\"Edition\"];\n }\n if (install['Product'] == \"2010\")\n {\n sps_2010_path = install['path'];\n sps_2010_sp = install['SP'];\n sps_2010_edition = install['Edition'];\n }\n else if (install['Product'] == \"2013\")\n {\n sps_2013_path = install['path'];\n sps_2013_sp = install['SP'];\n sps_2013_edition = install['Edition'];\n }\n }\n\n ######################################################################\n # SharePoint Server 2007 SP3 - Excel Services\n # KB: 2837612 File: xlsrv.dll Fix Ver: 12.0.6723.5000\n ######################################################################\n if (sps_2007_path && sps_2007_sp == \"3\" && sps_2007_edition == \"Server\")\n {\n path = hotfix_append_path(path:sps_2007_path, value:\"Bin\");\n if (hotfix_check_fversion(file:\"xlsrv.dll\", version:\"12.0.6723.5000\", path:path, bulletin:bulletin, kb:\"2837612\", product:\"Office SharePoint Server 2007 Excel Services\") == HCF_OLDER)\n vuln = TRUE;\n }\n\n ######################################################################\n # SharePoint Server 2010 SP2 - Excel Services\n # KB: 3054968 File: xlsrv.dll Fix Ver: 14.0.7153.5000\n ######################################################################\n if (sps_2010_path && sps_2010_sp == \"2\" && sps_2010_edition == \"Server\")\n {\n path = hotfix_append_path(path:sps_2010_path, value:\"Bin\");\n if (hotfix_check_fversion(file:\"xlsrv.dll\", version:\"14.0.7153.5000\", path:path, bulletin:bulletin, kb:\"3054968\", product:\"Office SharePoint Server 2010 Excel Services\") == HCF_OLDER)\n vuln = TRUE;\n }\n\n ######################################################################\n # SharePoint Server 2013 SP1 - Excel Services\n # KB: 3054861 File: xlsrv.dll Fix Ver: 15.0.4737.1000\n ######################################################################\n if (sps_2013_path && sps_2013_sp == \"1\" && sps_2013_edition == \"Server\")\n {\n path = hotfix_append_path(path:sps_2013_path, value:\"Bin\");\n if (hotfix_check_fversion(file:\"xlsrv.dll\", version:\"15.0.4737.1000\", path:path, bulletin:bulletin, kb:\"3054861\", product:\"Office SharePoint Server 2013 Excel Services\") == HCF_OLDER)\n vuln = TRUE;\n }\n}\n\nperform_office_checks();\nperform_office_product_checks();\nperform_sharepoint_checks();\n\nif (vuln)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-02T00:10:41", "references": ["https://technet.microsoft.com/library/security/ms15-070"], "pluginID": "84740", "description": "The remote Mac OS X host has a version of Microsoft Excel installed that is affected by multiple remote code execution vulnerabilities due to improper handling of objects in memory. A remote attacker can exploit these vulnerabilities by convincing a user to open a specially crafted file, resulting in the execution of arbitrary code in the context of the current user.", "edition": 7, "reporter": "Tenable", "published": "2015-07-14T00:00:00", "title": "MS15-070: Vulnerability in Microsoft Office Could Allow Remote Code Execution (3072620)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "MacOS X Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2376", "CVE-2015-2379"], "modified": "2018-08-10T00:00:00", "cpe": ["cpe:/a:microsoft:office:2011:mac"], "id": "MACOSX_MS15-070_OFFICE_2011.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84740", "sourceData": "#TRUSTED 675d051933d47e632d14be94ba148a638cf8e46157911e82564b1cb9c58176e26bf498ef4d97b669e8d332d8e3fa8f1b1be924aee942bff09658b0364fcc190da71e5d7ac943440d0d2a4631c223df692e5b8807d86a9c54105920ab9e1e57ac608a25c4d9588fd021e73a12a4c7e38a716671b3ec5f8d74369e034f33f9e47e6174725ac0aea1eb443684b92672e625373eef288963701f78e6b198adb21487380a42c0b34830fea89592670e4007aa6d26fd373078c1ef369893be5db727707b45aea1084b041f7151a8c247db95cd9ce754e6235f2282d6d3c2bf9eeda9c3c2963094cb990bd9c66d01151033cc5c114577f196416a09817d7fcd8d51531347a6be9906abbad62d06b797e3dc8f57cbb3989213d920e64d5c14fd2be5d699bd799577f2d6a75593b4a41dbbbf93830436af0c1ff74b6780499cd0d726e81a1f6565c00815fd9b9f257f696727ac101ba039d0f9baeb56884a015e078e68dfaa8e90f599571adba68f8b8ae0d2d0ac3d4ff3caa4a35fcf81cd6e17d234c83cf23cbeef37c5a459360e7c8a2c597cbed321d27a48d3a9455a79313634b18da55f372dfdc66b3d216c1772b6c0fc5475c93e8dfa5836bdbfcbd8c62f3c373ebde3c09d463716c4a56c9c19db74cacf48c77900a3af89d2c0cdf4b95d556490cba6564dddf11f0c54965a0b24d63d574f3cb47b77d3146954ef0f25376178664c\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84740);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2018/08/10\");\n\n script_cve_id(\"CVE-2015-2376\", \"CVE-2015-2379\");\n script_xref(name:\"MSFT\", value:\"MS15-070\");\n script_xref(name:\"IAVA\", value:\"2015-A-0163\");\n script_xref(name:\"MSKB\", value:\"3073865\");\n\n script_name(english:\"MS15-070: Vulnerability in Microsoft Office Could Allow Remote Code Execution (3072620)\");\n script_summary(english:\"Checks the version of Microsoft Office.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote Mac OS X host is affected by\nmultiple remote code execution vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Mac OS X host has a version of Microsoft Excel installed\nthat is affected by multiple remote code execution vulnerabilities due\nto improper handling of objects in memory. A remote attacker can\nexploit these vulnerabilities by convincing a user to open a specially\ncrafted file, resulting in the execution of arbitrary code in the\ncontext of the current user.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://technet.microsoft.com/library/security/ms15-070\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a patch for Office for Mac 2011.\n\nNote that Microsoft has re-released the patch to update the version\nof Microsoft Office for Mac to version 14.5.3 to address a potential\nissue with Microsoft Outlook for Mac. Microsoft recommends that this\nupdate is applied.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office:2011:mac\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"ssh_func.inc\");\ninclude(\"macosx_func.inc\");\n\n\nif(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)\n enable_ssh_wrappers();\nelse disable_ssh_wrappers();\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\n# Gather version info.\ninfo = '';\ninstalls = make_array();\n\nprod = 'Office for Mac 2011';\nplist = \"/Applications/Microsoft Office 2011/Office/MicrosoftComponentPlugin.framework/Versions/14/Resources/Info.plist\";\ncmd = 'cat \\'' + plist + '\\' | ' +\n 'grep -A 1 CFBundleShortVersionString | ' +\n 'tail -n 1 | ' +\n 'sed \\'s/.*string>\\\\(.*\\\\)<\\\\/string>.*/\\\\1/g\\'';\nversion = exec_cmd(cmd:cmd);\nif (version && version =~ \"^[0-9]+\\.\")\n{\n version = chomp(version);\n if (version !~ \"^14\\.\") exit(1, \"Failed to get the version for \"+prod+\" - '\"+version+\"'.\");\n\n installs[prod] = version;\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n fixed_version = '14.5.3';\n fix = split(fixed_version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(fix); i++)\n if ((ver[i] < fix[i]))\n {\n info +=\n '\\n Product : ' + prod +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n break;\n }\n else if (ver[i] > fix[i])\n break;\n}\n\n# Report findings.\nif (info)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:info);\n else security_hole(0);\n\n exit(0);\n}\nelse\n{\n if (max_index(keys(installs)) == 0) exit(0, \"Office for Mac 2011 is not installed.\");\n else\n {\n msg = 'The host has ';\n foreach prod (sort(keys(installs)))\n msg += prod + ' ' + installs[prod] + ' and ';\n msg = substr(msg, 0, strlen(msg)-1-strlen(' and '));\n\n msg += ' installed and thus is not affected.';\n\n exit(0, msg);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:01", "references": [], "description": "Memory corruptions, DLL planting, restrictions bypass.", "edition": 1, "reporter": "MICROSOFT", "published": "2015-07-19T00:00:00", "title": "Microsoft Office multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:01", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "SharePoint Server", "version": "2007", "operator": "eq"}, {"name": "Office", "version": "2013", "operator": "eq"}, {"name": "Office", "version": "2010", "operator": "eq"}, {"name": "SharePoint Server", "version": "2010", "operator": "eq"}, {"name": "Office", "version": "2007", "operator": "eq"}, {"name": "SharePoint Server", "version": "2013", "operator": "eq"}], "cvelist": ["CVE-2015-2377", "CVE-2015-2378", "CVE-2015-2376", "CVE-2015-2375", "CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380", "CVE-2015-2415"], "modified": "2015-07-19T00:00:00", "id": "SECURITYVULNS:VULN:14595", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14595", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kaspersky": [{"lastseen": "2018-12-06T13:24:01", "references": [], "description": "### *CVSS*:\n9.3\n\n### *Detect date*:\n07/14/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft office. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions, gain privileges or execute arbitrary code.\n\n### *Affected products*:\nMicrosoft Office 2007 Service Pack 3 \nMicrosoft Office 2010 Service Pack 2 \nMicrosoft Office 2013 Service Pack 1 \nMicrosoft Office 2013 RT Service Pack 1 \nMicrosoft Office for Mac 2011 \nMicrosoft Excel Viewer 2007 Service Pack 3 \nMicrosoft Office Compatibility Pack Service Pack 3 \nMicrosoft Word Viewer \nMicrosoft SharePoint Server 2007 Service Pack 3 \nMicrosoft SharePoint Server 2010 Service Pack 2 \nMicrosoft SharePoint Server 2013 Service Pack 1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2015-2377](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2377>) \n[CVE-2015-2376](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2376>) \n[CVE-2015-2375](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2375>) \n[CVE-2015-2379](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2379>) \n[CVE-2015-2378](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2378>) \n[CVE-2015-2380](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2380>) \n[CVE-2015-2424](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2424>) \n[CVE-2015-2415](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2415>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Office](<https://threats.kaspersky.com/en/product/Microsoft-Office/>)\n\n### *CVE-IDS*:\n[CVE-2015-2377](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2377>) \n[CVE-2015-2376](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2376>) \n[CVE-2015-2375](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2375>) \n[CVE-2015-2379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2379>) \n[CVE-2015-2378](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2378>) \n[CVE-2015-2380](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2380>) \n[CVE-2015-2424](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2424>) \n[CVE-2015-2415](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2415>) \n\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3072620](<http://support.microsoft.com/kb/3072620>) \n[2837612](<http://support.microsoft.com/kb/2837612>) \n[2965283](<http://support.microsoft.com/kb/2965283>) \n[2965208](<http://support.microsoft.com/kb/2965208>) \n[2965281](<http://support.microsoft.com/kb/2965281>) \n[2965209](<http://support.microsoft.com/kb/2965209>) \n[3073865](<http://support.microsoft.com/kb/3073865>) \n[3054981](<http://support.microsoft.com/kb/3054981>) \n[3054968](<http://support.microsoft.com/kb/3054968>) \n[3054996](<http://support.microsoft.com/kb/3054996>) \n[3054990](<http://support.microsoft.com/kb/3054990>) \n[3054861](<http://support.microsoft.com/kb/3054861>) \n[3054949](<http://support.microsoft.com/kb/3054949>) \n[3054958](<http://support.microsoft.com/kb/3054958>) \n[3054973](<http://support.microsoft.com/kb/3054973>) \n[3054963](<http://support.microsoft.com/kb/3054963>) \n[3054971](<http://support.microsoft.com/kb/3054971>) \n[3054999](<http://support.microsoft.com/kb/3054999>)", "edition": 27, "reporter": "Kaspersky Lab", "published": "2015-07-14T00:00:00", "title": "\r KLA10632Multiple vulnerabilities in Microsoft Office ", "type": "kaspersky", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2015-2377", "CVE-2015-2378", "CVE-2015-2376", "CVE-2015-2375", "CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380", "CVE-2015-2415"], "modified": "2018-12-04T00:00:00", "id": "KLA10632", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10632", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-10-22T16:38:48", "references": ["https://technet.microsoft.com/en-us/library/security/MS15-070", "https://support.microsoft.com/en-us/kb/3054958", "https://technet.microsoft.com/en-us/security/bulletin/ms15-070"], "pluginID": "1361412562310805814", "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "edition": 8, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-07-15T00:00:00", "title": "Microsoft Office Word Viewer Memory Corruption Vulnerability (3072620)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Windows : Microsoft Bulletins", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2379"], "modified": "2018-10-12T00:00:00", "id": "OPENVAS:1361412562310805814", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805814", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_word_viewer_ms15-070.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Microsoft Office Word Viewer Memory Corruption Vulnerability (3072620)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805814\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-2379\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-15 12:17:26 +0530 (Wed, 15 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Word Viewer Memory Corruption Vulnerability (3072620)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-070.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Flaw is due to improper handling of files\n in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Word Viewer\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and install the hotfixes from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054958\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/MS15-070\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/WordView/Version\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms15-070\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nwordviewVer = get_kb_item(\"SMB/Office/WordView/Version\");\nif(wordviewVer)\n{\n if(version_in_range(version:wordviewVer, test_version:\"11.0\", test_version2:\"11.0.8418\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:38:06", "references": ["https://support.microsoft.com/en-us/kb/3054999", "https://technet.microsoft.com/en-us/library/security/MS15-070", "https://support.microsoft.com/en-us/kb/3054963", "https://support.microsoft.com/en-us/kb/2965283", "https://technet.microsoft.com/en-us/security/bulletin/ms15-070"], "pluginID": "1361412562310805810", "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "edition": 7, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-07-15T00:00:00", "title": "Microsoft Office PowerPoint Remote Code Execution Vulnerability (3072620)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Windows : Microsoft Bulletins", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2424"], "modified": "2018-10-12T00:00:00", "id": "OPENVAS:1361412562310805810", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805810", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_powerpoint_ms15-070.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Microsoft Office PowerPoint Remote Code Execution Vulnerability (3072620)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805810\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-2424\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-15 10:27:38 +0530 (Wed, 15 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office PowerPoint Remote Code Execution Vulnerability (3072620)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-070.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Flaw is due to improper handling of files\n in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft PowerPoint 2007 Service Pack 3 and prior,\n Microsoft PowerPoint 2010 Service Pack 2 and prior,\n Microsoft PowerPoint 2013 Service Pack 1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and install the hotfixes from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/2965283\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054963\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054999\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/MS15-070\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/Office/Ver\", \"SMB/Office/PowerPnt/Version\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms15-070\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\npptVer = get_kb_item(\"SMB/Office/PowerPnt/Version\");\nif(!pptVer){\n exit(0);\n}\n\n# Office Power Point for 2007/2010/2013\npath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"ProgramFilesDir\");\nif(!path){\n exit(0);\n}\n\nforeach ver (make_list(\"\\OFFICE12\", \"\\OFFICE14\", \"\\OFFICE15\"))\n{\n offPath = path + \"\\Microsoft Office\" + ver ;\n dllVer = fetch_file_version(sysPath:offPath, file_name:\"ppcore.dll\");\n\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"12.0\", test_version2:\"12.0.6726.4999\") ||\n version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.7153.5001\") ||\n version_in_range(version:dllVer, test_version:\"15.0\", test_version2:\"15.0.4737.1002\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:39:45", "references": ["https://support.microsoft.com/en-us/kb/3073865", "https://technet.microsoft.com/en-us/library/security/MS15-070"], "pluginID": "1361412562310805923", "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "edition": 7, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-07-16T00:00:00", "title": "Microsoft Office Excel Remote Code Execution Vulnerabilities-3072620 (Mac OS X)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Mac OS X Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2376", "CVE-2015-2379"], "modified": "2018-10-12T00:00:00", "id": "OPENVAS:1361412562310805923", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805923", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms15-070_macosx.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Microsoft Office Excel Remote Code Execution Vulnerabilities-3072620 (Mac OS X)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805923\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-2376\", \"CVE-2015-2379\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-16 10:57:22 +0530 (Thu, 16 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Excel Remote Code Execution Vulnerabilities-3072620 (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-070.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to improper handling\n of files in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2011 on Mac OS X\");\n\n script_tag(name:\"solution\", value:\"Apply the patch from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3073865\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/MS15-070\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gb_microsoft_office_detect_macosx.nasl\");\n script_mandatory_keys(\"MS/Office/MacOSX/Ver\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\noffVer = get_kb_item(\"MS/Office/MacOSX/Ver\");\n\nif(!offVer || !(offVer =~ \"^14\")){\n exit(0);\n}\n\nif(version_in_range(version:offVer, test_version:\"14.0\", test_version2:\"14.5.2\"))\n{\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:56:34", "_object_types": ["robots.models.base.Bulletin", "robots.models.threatpost.ThreatpostBulletin"], "references": ["https://threatpost.com/russian-apt28-group-linked-to-nato-political-attacks/109049", "https://threatpost.com/microsoft-patches-hacking-team-windows-kernel-zero-day/113788", "http://www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/", "https://technet.microsoft.com/en-us/library/security/MS15-070", "https://threatpost.com/oracle-patches-java-zero-day/113792"], "description": "An APT group thought to be tied to Russia is flying against conventional wisdom, having as recently as the last three weeks dropped its sixth zero-day in the past four months.\n\nGiven the underground value of unpatched and unreported vulnerabilities, this is highly unusual behavior, even for a state-sponsored cyberespionage team.\n\nNonetheless, [APT 28](<https://threatpost.com/russian-apt28-group-linked-to-nato-political-attacks/109049>), also known by other nicknames such as Tsar Team, Operation Pawn Storm, and Sednit, has been a busy gang targeting government agencies and military operations with a host of Adobe Flash, Microsoft and Java-based zero-days at their disposal.\n\nThis week alone, two zero-days attributed to this team disappeared when they were [patched by Microsoft](<https://threatpost.com/microsoft-patches-hacking-team-windows-kernel-zero-day/113788>) and Oracle in Office and Java respectively. Researchers at [iSight Partners](<http://www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/>) reported the Office zero-day to Microsoft on June 30 and it was patched on Tuesday in [MS15-070](<https://technet.microsoft.com/en-us/library/security/MS15-070>), an Office security bulletin that patched 13 other vulnerabilities in the software. Later that night, [Oracle erased a Java zero-day](<https://threatpost.com/oracle-patches-java-zero-day/113792>) in its quarterly Critical Patch Update that was used against a U.S.-based defense contractor and foreign military outfits. It was the first Java zero day actively exploited in the wild since 2013, experts said.\n\nAPT 28 keeps a vast arsenal of malware and domains under its control, according to researchers Brian Bartholomew and Jonathan Leathery of iSight.\n\n\u201cThis indicates it\u2019s not a handful of guys; this is an organization managing this stuff,\u201d Bartholomew said, adding that the group has also been known to use cryptocurrency such as Bitcoin to buy domains in order to hide registration information and remain anonymous. \u201cIt\u2019s hard to manage that much infrastructure that they own.\u201d\n\nFive of the half-dozen zero days, Bartholomew said, were built in-house by APT 28, while the sixth, CVE-2015-5119, was a repurposed Flash 0day that was put into use 24 hours after it was uncovered after the Hacking Team breach.\n\n\u201cThey actually rewrote it, which is interesting. It\u2019s not just a copy of the [Hacking Team] proof of concept with their own shell code added,\u201d Bartholomew said.\n\nThe Office zero day, CVE-2015-2424, was likely still under development since iSight researchers said it was still fairly buggy and unreliable. It was likely spread via spear phishing emails, specifically targeting individuals or groups within sensitive organizations. The lure found by iSight was a Word document purporting to be an analysis of the Iran nuclear deal.\n\n\u201cIt\u2019s a heap corruption vulnerability in Office where it\u2019s mishandling an object in memory, which allowed for remote code execution from the weaponized document,\u201d Leathery said, adding that the message also included a CNN article on the Iran deal published June 28. The likely targets were the former Soviet republic of Georgia.\n\nThe payload is a variant of the Sofacy or Sednit Trojan, which immediately opens a backdoor to a number of attacker-controlled domains where stolen data is sent. Some of the domains, iSight said, are benign or do not belong to the APT group, a false-flag of sorts. The targets are government agencies in Eastern Europe or NATO, along with critical industries such as nuclear, telecommunications, defense industrial base and diplomatic interests.\n\nThe group is not only adept at gathering intelligence from foreign interests, but also focuses on internal dissidents and threats to national security in Russia, iSight said. One counter-terrorism operation attributed to this group is the so-called Cyber Caliphate hacktivist operation, where hackers posing as ISIS supporters set up lures via social media or forums trying to attract those sympathetic to the Islamic State. Once some confidence is established with a target via direct messaging, APT 28 would entice them to install an application that was malicious and allowed them to monitor the dissidents\u2019 activities.\n\nDespite the fact that this particular Office\u2014and Java\u2014zero day has been patched, iSight believes APT 28 is well resourced and has more at its disposal.\n\n\u201cThis throws a wrench in their plans; usually they can get a few months out of a zero day before a patch is out,\u201d Bartholomew said. \u201cIt\u2019s unprecedented using this many zero days, but at the same time, they have access to developers who can build these or have the resources to buy them.\u201d\n", "reporter": "Michael Mimoso", "published": "2015-07-16T13:46:02", "type": "threatpost", "title": "Office, Java Patches Erase Latest APT 28 Zero Days", "enchantments": {"score": {"modified": "2018-10-06T22:56:34", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "info", "cvelist": ["CVE-2015-2424", "CVE-2015-5119"], "_object_type": "robots.models.threatpost.ThreatpostBulletin", "modified": "2015-07-21T20:45:15", "id": "THREATPOST:644EA98A53DF0E53AF5BDAC1607B06D2", "href": "https://threatpost.com/office-java-patches-erase-latest-apt-28-zero-days/113825/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:59", "_object_types": ["robots.models.base.Bulletin", "robots.models.threatpost.ThreatpostBulletin"], "references": ["https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/", "https://threatpost.com/miniduke-espionage-malware-hits-governments-europe-using-adobe-exploits-022713/77569/", "https://threatpost.com/office-java-patches-erase-latest-apt-28-zero-days/113825/"], "description": "A new analysis of the Sofacy APT gang, a Russian-speaking group carrying out targeted attacks against military and government offices for close to a decade, shows a relentless wave of intrusions peaking this summer against victims in a number of NATO countries and the Ukraine.\n\nResearchers at Kaspersky Lab this morning [released their update on Sofacy](<https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/>), which is also known as APT28, Fancy Bear, Sednit and a handful of other monikers. The report demonstrates a barrage of zero-day vulnerabilities in Office, Java, Adobe and Windows at the group\u2019s disposal; the zero-days are being used against targets in attacks that remained active as of last month. The gang\u2019s malware implants were uncovered as well as its capabilities to quickly adapt to detection technologies and hit compromised machines with different backdoors so that in case one was found out, there would be fallbacks.\n\nSofacy\u2019s roots go back to around 2007, Kaspersky researchers said, with the name coming from an implant used in attacks four years ago that shared some similarities with the [Miniduke APT](<https://threatpost.com/miniduke-espionage-malware-hits-governments-europe-using-adobe-exploits-022713/77569/>) gang uncovered by Kaspersky Lab in 2013 executing espionage activity against governments in Europe.\n\nSofacy\u2019s rapid capability expansion began in 2013 when a number of new backdoors and malware tools were discovered, including CORESHELL, JHUHUGIT and AZZY among others.\n\nThis summer, the AZZY implant got a facelift and was used as recently as October along with a new USB-stealing malware designed to hit air-gapped machines.\n\nIn July, researchers at iSight Partners reported that Sofacy, or Tsar Team as iSight calls them, had dropped their [sixth zero day exploit in four months](<https://threatpost.com/office-java-patches-erase-latest-apt-28-zero-days/113825/>), two of which in Office and Java were patched during a span of a few days in July.\n\n\u201cUsually, when someone publishes research on a given cyber-espionage group, the group reacts: either it halts its activity or dramatically changes tactics and strategy. With Sofacy, this is not always the case. We have seen it launching attacks for several years now, and its activity has been reported by the security community multiple times,\u201d said Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab.\n\nFive of the six zero days, iSight said, were built in-house by APT 28, while the sixth, CVE-2015-5119, was a repurposed Flash 0day that was put into use 24 hours after it was uncovered after the Hacking Team breach. Given the underground value of unpatched and unreported vulnerabilities, this was highly unusual behavior, even for a state-sponsored cyberespionage team.\n\nKaspersky researchers said that it discovered the group was using a Flash and Java zero day to drop the JHUHUGIT malware implant, which became its most prevalent first-stage implant in subsequent attacks.\n\nThe updated AZZY Trojan, meanwhile, surfaced in August in attacks against higher profile victims, and including in one case, a defense contractor, Kaspersky researchers said. While the first sample was spotted on July 29 and signatures quickly added to security systems, Kaspersky researchers said that by Aug. 4, another sample was in the wild. What made the AZZY update stand out was that it was not delivered via a zero-day, instead it was delivered and installed by separate malware already on the system, a dropper called msdeltemp.dll that the attackers controlled via backdoors in order to send commands to infected machines.\n\n\u201cThis code modification marks an unusual departure from the typical AZZY backdoors, with its C&amp;C communication functions moved to an external DLL file,\u201d Kaspersky researchers wrote in their report. \u201cIn the past, the Sofacy developers modified earlier AZZY backdoors to use a C&amp;C server encoded in the registry, instead of storing it in the malware itself, so this code modularization follows the same line of thinking.\u201d\n\nIn addition to traditional data-stealing capabilities, Sofacy also covets information stored on air-gapped machines and uses its USBSTEALER implant to drain these machines of valuable content.\n\nThis is behavior similar to that of the Equation group, one of the most sophisticated state-sponsored groups, which invested significant resources in developing more than 100 malware implants, each with their own purpose and used selectively against valuable targets.\n\n\u201cIn 2015 its activity increased significantly, deploying no less than five 0-days, making Sofacy one of the most prolific, agile and dynamic threat actors in the arena,\u201d Raiu said. \u201cWe have reasons to believe that these attacks will continue.\u201d\n", "reporter": "Michael Mimoso", "published": "2015-12-04T07:05:37", "type": "threatpost", "title": "Sofacy APT28 Gang Using New Backdoors, Zero Days", "enchantments": {"score": {"modified": "2018-10-06T22:55:59", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "info", "cvelist": ["CVE-2010-3333", "CVE-2011-2140", "CVE-2012-0158", "CVE-2012-1856", "CVE-2014-6352", "CVE-2015-2375", "CVE-2015-2376", "CVE-2015-2377", "CVE-2015-2424", "CVE-2015-5119"], "_object_type": "robots.models.threatpost.ThreatpostBulletin", "modified": "2015-12-04T21:35:34", "id": "THREATPOST:23B92BF326746339F6B36D64AEB2D5F6", "href": "https://threatpost.com/relentless-sofacy-apt-attacks-armed-with-zero-days-new-backdoors/115556/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}