Search...

Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)

2015-07-15T00:00:00

ID OPENVAS:1361412562310805811
Type openvas
Reporter Copyright (C) 2015 Greenbone Networks GmbH
Modified 2018-09-17T00:00:00

Description

This host is missing an important security update according to Microsoft Bulletin MS15-070.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_ms_word_ms15-070.nasl 11424 2018-09-17 08:03:52Z mmartin $
#
# Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)
#
# Authors:
# Thanga Prakash S &lt;tprakash@secpod.com&gt;
#
# Copyright:
# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.805811");
  script_version("$Revision: 11424 $");
  script_cve_id("CVE-2015-2379", "CVE-2015-2380", "CVE-2015-2424");
  script_tag(name:"cvss_base", value:"9.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_tag(name:"last_modification", value:"$Date: 2018-09-17 10:03:52 +0200 (Mon, 17 Sep 2018) $");
  script_tag(name:"creation_date", value:"2015-07-15 10:46:09 +0530 (Wed, 15 Jul 2015)");
  script_tag(name:"qod_type", value:"executable_version");
  script_name("Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)");

  script_tag(name:"summary", value:"This host is missing an important security
  update according to Microsoft Bulletin MS15-070.");

  script_tag(name:"vuldetect", value:"Get the vulnerable file version and check
  appropriate patch is applied or not.");

  script_tag(name:"insight", value:"Multiple flaws are due to improper handling
  of files in the memory.");

  script_tag(name:"impact", value:"Successful exploitation will allow remote
  attackers to run arbitrary code in the context of the current user.");

  script_tag(name:"affected", value:"Microsoft Word 2007 Service Pack 3 and prior,
  Microsoft Word 2010 Service Pack 2 and prior,
  Microsoft Word 2013 Service Pack 1 and prior.");

  script_tag(name:"solution", value:"Run Windows Update and update the listed
  hotfixes or download and update mentioned hotfixes in the advisory from the
  below link, https://technet.microsoft.com/en-us/security/bulletin/ms15-070");

  script_tag(name:"solution_type", value:"VendorFix");

  script_xref(name:"URL", value:"https://support.microsoft.com/en-us/kb/3054996");
  script_xref(name:"URL", value:"https://support.microsoft.com/en-us/kb/3054973");
  script_xref(name:"URL", value:"https://support.microsoft.com/en-us/kb/3054990");
  script_xref(name:"URL", value:"https://technet.microsoft.com/en-us/library/security/MS15-070");

  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2015 Greenbone Networks GmbH");
  script_family("Windows : Microsoft Bulletins");
  script_dependencies("secpod_office_products_version_900032.nasl");
  script_mandatory_keys("SMB/Office/Word/Version");
  exit(0);
}


include("version_func.inc");

winwordVer = get_kb_item("SMB/Office/Word/Version");

## Microsoft Office Word 2007/2010/2013
if(winwordVer && winwordVer =~ "^(12|14|15).*")
{
  if(version_in_range(version:winwordVer, test_version:"12.0", test_version2:"12.0.6726.4999") ||
     version_in_range(version:winwordVer, test_version:"14.0", test_version2:"14.0.7153.5001") ||
     version_in_range(version:winwordVer, test_version:"15.0", test_version2:"15.0.4737.1002"))
  {
    security_message( port: 0, data: "The target host was found to be vulnerable" );
    exit(0);
  }
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310805811", "bulletinFamily": "scanner", "title": "Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)", "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "published": "2015-07-15T00:00:00", "modified": "2018-09-17T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805811", "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "references": ["https://support.microsoft.com/en-us/kb/3054990", "https://support.microsoft.com/en-us/kb/3054996", "https://support.microsoft.com/en-us/kb/3054973", "https://technet.microsoft.com/en-us/library/security/MS15-070"], "cvelist": ["CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380"], "type": "openvas", "lastseen": "2018-09-17T13:35:18", "history": [{"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "75312e73c53be7d71f723d5e07ad51e82262e9c997914ed84544fc59545c2d3c", "hashmap": [{"hash": "bb6754d79f2132b0e347144186a9bc7d", "key": "references"}, {"hash": "9bc2513a9afb621223fc7b827b4730e3", "key": "description"}, {"hash": "dbaad86219df8ed5ae8594dfb7671a12", "key": "sourceData"}, {"hash": "1bd2437e51c65f396d573496bf505abf", "key": "modified"}, {"hash": "8bc4afcfb2c1cc55ffb18933e29b9f9e", "key": "title"}, {"hash": "b0ca152f2b27a812e2f2b87d3fe780f8", "key": "published"}, {"hash": "617e6f50c56eaa4331691c7265607b87", "key": "cvelist"}, {"hash": "361910b6fb469730e56758bd54ea77df", "key": "pluginID"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "edb0556a59a18ed6b6e2464eb93a43b5", "key": "href"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805811", "id": "OPENVAS:1361412562310805811", "lastseen": "2018-08-30T19:21:48", "modified": "2017-01-20T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "1361412562310805811", "published": "2015-07-15T00:00:00", "references": ["https://support.microsoft.com/en-us/kb/3054990", "https://support.microsoft.com/en-us/kb/3054996", "https://support.microsoft.com/en-us/kb/3054973", "https://technet.microsoft.com/en-us/library/security/MS15-070"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_word_ms15-070.nasl 5053 2017-01-20 13:10:56Z cfi $\n#\n# Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805811\");\n script_version(\"$Revision: 5053 $\");\n script_cve_id(\"CVE-2015-2379\", \"CVE-2015-2380\", \"CVE-2015-2424\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-01-20 14:10:56 +0100 (Fri, 20 Jan 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-15 10:46:09 +0530 (Wed, 15 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-070.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the vulnerable file version and check\n appropriate patch is applied or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to improper handling\n of files in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\n\n Impact Level: System/Application\");\n\n script_tag(name:\"affected\", value:\"\n Microsoft Word 2007 Service Pack 3 and prior,\n Microsoft Word 2010 Service Pack 2 and prior,\n Microsoft Word 2013 Service Pack 1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and update mentioned hotfixes in the advisory from the\n below link, https://technet.microsoft.com/en-us/security/bulletin/ms15-070\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054996\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054973\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054990\");\n script_xref(name : \"URL\" , value : \"https://technet.microsoft.com/en-us/library/security/MS15-070\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/Word/Version\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n## variable Initialization\nwinwordVer = \"\";\n\nwinwordVer = get_kb_item(\"SMB/Office/Word/Version\");\n\n## Microsoft Office Word 2007/2010/2013\nif(winwordVer && winwordVer =~ \"^(12|14|15).*\")\n{\n if(version_in_range(version:winwordVer, test_version:\"12.0\", test_version2:\"12.0.6726.4999\") ||\n version_in_range(version:winwordVer, test_version:\"14.0\", test_version2:\"14.0.7153.5001\") ||\n version_in_range(version:winwordVer, test_version:\"15.0\", test_version2:\"15.0.4737.1002\"))\n {\n security_message(0);\n exit(0);\n }\n}\n", "title": "Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)", "type": "openvas", "viewCount": 0}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2018-08-30T19:21:48"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "edition": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "adf5a0e5f1c323e663acb18624b2ef675218c840368b9ddb19e513bb34ce472d", "hashmap": [{"hash": "bb6754d79f2132b0e347144186a9bc7d", "key": "references"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "704c887ec56b5c516fa7b02953bad633", "key": "modified"}, {"hash": "9bc2513a9afb621223fc7b827b4730e3", "key": "description"}, {"hash": "8bc4afcfb2c1cc55ffb18933e29b9f9e", "key": "title"}, {"hash": "b0ca152f2b27a812e2f2b87d3fe780f8", "key": "published"}, {"hash": "617e6f50c56eaa4331691c7265607b87", "key": "cvelist"}, {"hash": "361910b6fb469730e56758bd54ea77df", "key": "pluginID"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "d86ac9c74422b7d298d5ec74bf83708e", "key": "sourceData"}, {"hash": "edb0556a59a18ed6b6e2464eb93a43b5", "key": "href"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805811", "id": "OPENVAS:1361412562310805811", "lastseen": "2018-09-05T11:35:25", "modified": "2018-09-04T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "1361412562310805811", "published": "2015-07-15T00:00:00", "references": ["https://support.microsoft.com/en-us/kb/3054990", "https://support.microsoft.com/en-us/kb/3054996", "https://support.microsoft.com/en-us/kb/3054973", "https://technet.microsoft.com/en-us/library/security/MS15-070"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_word_ms15-070.nasl 11227 2018-09-04 13:25:37Z mmartin $\n#\n# Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805811\");\n script_version(\"$Revision: 11227 $\");\n script_cve_id(\"CVE-2015-2379\", \"CVE-2015-2380\", \"CVE-2015-2424\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-04 15:25:37 +0200 (Tue, 04 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-15 10:46:09 +0530 (Wed, 15 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-070.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the vulnerable file version and check\n appropriate patch is applied or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to improper handling\n of files in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\n\n Impact Level: System/Application\");\n\n script_tag(name:\"affected\", value:\"Microsoft Word 2007 Service Pack 3 and prior,\n Microsoft Word 2010 Service Pack 2 and prior,\n Microsoft Word 2013 Service Pack 1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and update mentioned hotfixes in the advisory from the\n below link, https://technet.microsoft.com/en-us/security/bulletin/ms15-070\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054996\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054973\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054990\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/MS15-070\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/Word/Version\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nwinwordVer = get_kb_item(\"SMB/Office/Word/Version\");\n\n## Microsoft Office Word 2007/2010/2013\nif(winwordVer && winwordVer =~ \"^(12|14|15).*\")\n{\n if(version_in_range(version:winwordVer, test_version:\"12.0\", test_version2:\"12.0.6726.4999\") ||\n version_in_range(version:winwordVer, test_version:\"14.0\", test_version2:\"14.0.7153.5001\") ||\n version_in_range(version:winwordVer, test_version:\"15.0\", test_version2:\"15.0.4737.1002\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "title": "Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)", "type": "openvas", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 4, "lastseen": "2018-09-05T11:35:25"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "edition": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "07f1af6b15f2505dc85e1f9d70626636d35883999d6c163aba28aea12185a88d", "hashmap": [{"hash": "bb6754d79f2132b0e347144186a9bc7d", "key": "references"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "9bc2513a9afb621223fc7b827b4730e3", "key": "description"}, {"hash": "dbaad86219df8ed5ae8594dfb7671a12", "key": "sourceData"}, {"hash": "1bd2437e51c65f396d573496bf505abf", "key": "modified"}, {"hash": "8bc4afcfb2c1cc55ffb18933e29b9f9e", "key": "title"}, {"hash": "b0ca152f2b27a812e2f2b87d3fe780f8", "key": "published"}, {"hash": "617e6f50c56eaa4331691c7265607b87", "key": "cvelist"}, {"hash": "361910b6fb469730e56758bd54ea77df", "key": "pluginID"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "edb0556a59a18ed6b6e2464eb93a43b5", "key": "href"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805811", "id": "OPENVAS:1361412562310805811", "lastseen": "2017-07-02T21:11:46", "modified": "2017-01-20T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "1361412562310805811", "published": "2015-07-15T00:00:00", "references": ["https://support.microsoft.com/en-us/kb/3054990", "https://support.microsoft.com/en-us/kb/3054996", "https://support.microsoft.com/en-us/kb/3054973", "https://technet.microsoft.com/en-us/library/security/MS15-070"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_word_ms15-070.nasl 5053 2017-01-20 13:10:56Z cfi $\n#\n# Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805811\");\n script_version(\"$Revision: 5053 $\");\n script_cve_id(\"CVE-2015-2379\", \"CVE-2015-2380\", \"CVE-2015-2424\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-01-20 14:10:56 +0100 (Fri, 20 Jan 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-15 10:46:09 +0530 (Wed, 15 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-070.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the vulnerable file version and check\n appropriate patch is applied or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to improper handling\n of files in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\n\n Impact Level: System/Application\");\n\n script_tag(name:\"affected\", value:\"\n Microsoft Word 2007 Service Pack 3 and prior,\n Microsoft Word 2010 Service Pack 2 and prior,\n Microsoft Word 2013 Service Pack 1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and update mentioned hotfixes in the advisory from the\n below link, https://technet.microsoft.com/en-us/security/bulletin/ms15-070\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054996\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054973\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054990\");\n script_xref(name : \"URL\" , value : \"https://technet.microsoft.com/en-us/library/security/MS15-070\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/Word/Version\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n## variable Initialization\nwinwordVer = \"\";\n\nwinwordVer = get_kb_item(\"SMB/Office/Word/Version\");\n\n## Microsoft Office Word 2007/2010/2013\nif(winwordVer && winwordVer =~ \"^(12|14|15).*\")\n{\n if(version_in_range(version:winwordVer, test_version:\"12.0\", test_version2:\"12.0.6726.4999\") ||\n version_in_range(version:winwordVer, test_version:\"14.0\", test_version2:\"14.0.7153.5001\") ||\n version_in_range(version:winwordVer, test_version:\"15.0\", test_version2:\"15.0.4737.1002\"))\n {\n security_message(0);\n exit(0);\n }\n}\n", "title": "Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)", "type": "openvas", "viewCount": 0}, "differentElements": ["cvss"], "edition": 1, "lastseen": "2017-07-02T21:11:46"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "07f1af6b15f2505dc85e1f9d70626636d35883999d6c163aba28aea12185a88d", "hashmap": [{"hash": "bb6754d79f2132b0e347144186a9bc7d", "key": "references"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "9bc2513a9afb621223fc7b827b4730e3", "key": "description"}, {"hash": "dbaad86219df8ed5ae8594dfb7671a12", "key": "sourceData"}, {"hash": "1bd2437e51c65f396d573496bf505abf", "key": "modified"}, {"hash": "8bc4afcfb2c1cc55ffb18933e29b9f9e", "key": "title"}, {"hash": "b0ca152f2b27a812e2f2b87d3fe780f8", "key": "published"}, {"hash": "617e6f50c56eaa4331691c7265607b87", "key": "cvelist"}, {"hash": "361910b6fb469730e56758bd54ea77df", "key": "pluginID"}, {"hash": "c9898bc973bfffca5119f1a3bfa73a8d", "key": "naslFamily"}, {"hash": "edb0556a59a18ed6b6e2464eb93a43b5", "key": "href"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "1e898993712db5cf9f9a110102684025", "key": "reporter"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805811", "id": "OPENVAS:1361412562310805811", "lastseen": "2018-09-01T23:49:22", "modified": "2017-01-20T00:00:00", "naslFamily": "Windows : Microsoft Bulletins", "objectVersion": "1.3", "pluginID": "1361412562310805811", "published": "2015-07-15T00:00:00", "references": ["https://support.microsoft.com/en-us/kb/3054990", "https://support.microsoft.com/en-us/kb/3054996", "https://support.microsoft.com/en-us/kb/3054973", "https://technet.microsoft.com/en-us/library/security/MS15-070"], "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_word_ms15-070.nasl 5053 2017-01-20 13:10:56Z cfi $\n#\n# Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805811\");\n script_version(\"$Revision: 5053 $\");\n script_cve_id(\"CVE-2015-2379\", \"CVE-2015-2380\", \"CVE-2015-2424\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-01-20 14:10:56 +0100 (Fri, 20 Jan 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-15 10:46:09 +0530 (Wed, 15 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-070.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the vulnerable file version and check\n appropriate patch is applied or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to improper handling\n of files in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\n\n Impact Level: System/Application\");\n\n script_tag(name:\"affected\", value:\"\n Microsoft Word 2007 Service Pack 3 and prior,\n Microsoft Word 2010 Service Pack 2 and prior,\n Microsoft Word 2013 Service Pack 1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and update mentioned hotfixes in the advisory from the\n below link, https://technet.microsoft.com/en-us/security/bulletin/ms15-070\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054996\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054973\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054990\");\n script_xref(name : \"URL\" , value : \"https://technet.microsoft.com/en-us/library/security/MS15-070\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/Word/Version\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n## variable Initialization\nwinwordVer = \"\";\n\nwinwordVer = get_kb_item(\"SMB/Office/Word/Version\");\n\n## Microsoft Office Word 2007/2010/2013\nif(winwordVer && winwordVer =~ \"^(12|14|15).*\")\n{\n if(version_in_range(version:winwordVer, test_version:\"12.0\", test_version2:\"12.0.6726.4999\") ||\n version_in_range(version:winwordVer, test_version:\"14.0\", test_version2:\"14.0.7153.5001\") ||\n version_in_range(version:winwordVer, test_version:\"15.0\", test_version2:\"15.0.4737.1002\"))\n {\n security_message(0);\n exit(0);\n }\n}\n", "title": "Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)", "type": "openvas", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 3, "lastseen": "2018-09-01T23:49:22"}], "edition": 5, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "617e6f50c56eaa4331691c7265607b87"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "description", "hash": "9bc2513a9afb621223fc7b827b4730e3"}, {"key": "href", "hash": "edb0556a59a18ed6b6e2464eb93a43b5"}, {"key": "modified", "hash": "c546ec5a83c8267a23fb611906cdec7f"}, {"key": "naslFamily", "hash": "c9898bc973bfffca5119f1a3bfa73a8d"}, {"key": "pluginID", "hash": "361910b6fb469730e56758bd54ea77df"}, {"key": "published", "hash": "b0ca152f2b27a812e2f2b87d3fe780f8"}, {"key": "references", "hash": "bb6754d79f2132b0e347144186a9bc7d"}, {"key": "reporter", "hash": "1e898993712db5cf9f9a110102684025"}, {"key": "sourceData", "hash": "c803851578a6a1325f38a675a19c11f6"}, {"key": "title", "hash": "8bc4afcfb2c1cc55ffb18933e29b9f9e"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "hash": "b4bcf45979b3e72643dcd2854c9b1fd865f162b3d4ee3a90ad37425711b8e428", "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_word_ms15-070.nasl 11424 2018-09-17 08:03:52Z mmartin $\n#\n# Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805811\");\n script_version(\"$Revision: 11424 $\");\n script_cve_id(\"CVE-2015-2379\", \"CVE-2015-2380\", \"CVE-2015-2424\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-17 10:03:52 +0200 (Mon, 17 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-15 10:46:09 +0530 (Wed, 15 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Word Multiple Remote Code Execution Vulnerabilities (3072620)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-070.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the vulnerable file version and check\n appropriate patch is applied or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to improper handling\n of files in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Word 2007 Service Pack 3 and prior,\n Microsoft Word 2010 Service Pack 2 and prior,\n Microsoft Word 2013 Service Pack 1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and update mentioned hotfixes in the advisory from the\n below link, https://technet.microsoft.com/en-us/security/bulletin/ms15-070\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054996\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054973\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054990\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/MS15-070\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/Word/Version\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nwinwordVer = get_kb_item(\"SMB/Office/Word/Version\");\n\n## Microsoft Office Word 2007/2010/2013\nif(winwordVer && winwordVer =~ \"^(12|14|15).*\")\n{\n if(version_in_range(version:winwordVer, test_version:\"12.0\", test_version2:\"12.0.6726.4999\") ||\n version_in_range(version:winwordVer, test_version:\"14.0\", test_version2:\"14.0.7153.5001\") ||\n version_in_range(version:winwordVer, test_version:\"15.0\", test_version2:\"15.0.4737.1002\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "pluginID": "1361412562310805811"}

{"cve": [{"lastseen": "2017-09-22T10:42:09", "references": ["http://www.securitytracker.com/id/1032899", "http://technet.microsoft.com/security/bulletin/MS15-070"], "edition": 2, "description": "Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, and Word 2013 RT SP1 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka \"Microsoft Office Memory Corruption Vulnerability.\"", "reporter": "NVD", "published": "2015-07-14T17:59:14", "title": "CVE-2015-2380", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2015-2380"], "scanner": [], "cpe": ["cpe:/a:microsoft:word:2013:sp1", "cpe:/a:microsoft:word:2010:sp2:~~~~x64~", "cpe:/a:microsoft:word:2013:sp1:~~rt~~~", "cpe:/a:microsoft:word:2010:sp2:~~~x86~~", "cpe:/a:microsoft:office:2010:sp2:~~~~x64~", "cpe:/a:microsoft:office:2010:sp2:~~~~x86~", "cpe:/a:microsoft:word:2007:sp3"], "modified": "2017-09-21T21:29:04", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380", "id": "CVE-2015-2380", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-22T10:42:09", "references": ["http://www.securitytracker.com/id/1032899", "http://technet.microsoft.com/security/bulletin/MS15-070"], "edition": 2, "description": "Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Office for Mac 2011, and Word Viewer allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka \"Microsoft Office Memory Corruption Vulnerability.\"", "reporter": "NVD", "published": "2015-07-14T17:59:13", "title": "CVE-2015-2379", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2015-2379"], "scanner": [], "cpe": ["cpe:/a:microsoft:word:2013:sp1", "cpe:/a:microsoft:office:2011::~~~mac~~", "cpe:/a:microsoft:word_viewer", "cpe:/a:microsoft:word:2013:sp1:~~rt~~~", "cpe:/a:microsoft:office:2010:sp2:~~~~x64~", "cpe:/a:microsoft:office:2010:sp2:~~~~x86~", "cpe:/a:microsoft:word:2007:sp3"], "modified": "2017-09-21T21:29:04", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379", "id": "CVE-2015-2379", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-22T10:42:10", "references": ["http://www.securitytracker.com/id/1032899", "http://technet.microsoft.com/security/bulletin/MS15-070"], "edition": 2, "description": "Microsoft PowerPoint 2007 SP3, Word 2007 SP3, PowerPoint 2010 SP2, Word 2010 SP2, PowerPoint 2013 SP1, Word 2013 SP1, and PowerPoint 2013 RT SP1 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka \"Microsoft Office Memory Corruption Vulnerability.\"", "reporter": "NVD", "published": "2015-07-14T17:59:35", "title": "CVE-2015-2424", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2015-2424"], "scanner": [], "cpe": ["cpe:/a:microsoft:word:2013:sp1", "cpe:/a:microsoft:powerpoint:2013:sp1:~~rt~~~", "cpe:/a:microsoft:powerpoint:2007:sp3", "cpe:/a:microsoft:word:2010:sp2:~~~~x64~", "cpe:/a:microsoft:word:2010:sp2:~~~x86~~", "cpe:/a:microsoft:powerpoint:2010:sp2", "cpe:/a:microsoft:word:2007:sp3", "cpe:/a:microsoft:powerpoint:2013:sp1"], "modified": "2017-09-21T21:29:06", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424", "id": "CVE-2015-2424", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "symantec": [{"lastseen": "2018-03-14T22:42:47", "references": [], "description": "### Description\n\nMicrosoft Office is prone to a remote memory-corruption vulnerability because it fails to properly handle objects in memory. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Office 2010 Service Pack 2 (32-bit editions) \n * Microsoft Office 2010 Service Pack 2 (64-bit editions) \n * Microsoft Office for Mac 2011 \n * Microsoft Word 2007 SP3 \n * Microsoft Word 2010 Service Pack 2 (32-bit editions) \n * Microsoft Word 2010 Service Pack 2 (64-bit editions) \n * Microsoft Word 2013 RT Service Pack 1 \n * Microsoft Word 2013 Service Pack 1 (32-bit editions) \n * Microsoft Word 2013 Service Pack 1 (64-bit editions) \n * Microsoft Word Viewer \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "reporter": "Symantec Security Response", "published": "2015-07-14T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "symantec", "title": "Microsoft Office CVE-2015-2379 Memory Corruption Vulnerability", "bulletinFamily": "software", "affectedSoftware": [{"name": "Microsoft Word", "version": "2010 Service Pack 2 (32-bit editions) ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2007 SP3 ", "operator": "eq"}, {"name": "Microsoft Office", "version": "2010 Service Pack 2 (32-bit editions) ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2013 Service Pack 1 (32-bit editions) ", "operator": "eq"}, {"name": "Microsoft Office", "version": "2010 Service Pack 2 (64-bit editions) ", "operator": "eq"}, {"name": "Microsoft Office for Mac", "version": "2011 ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2013 Service Pack 1 (64-bit editions) ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2013 RT Service Pack 1 ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2010 Service Pack 2 (64-bit editions) ", "operator": "eq"}], "cvelist": ["CVE-2015-2379"], "modified": "2015-07-14T00:00:00", "id": "SMNTC-75645", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/75645", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-14T00:21:44", "references": [], "edition": 2, "description": "### Description\n\nMicrosoft Office is prone to a remote memory-corruption vulnerability because it fails to properly handle objects in memory. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft PowerPoint 2007 SP3 \n * Microsoft PowerPoint 2010 Service Pack 2 (32-bit editions) \n * Microsoft PowerPoint 2010 Service Pack 2 (64-bit editions) \n * Microsoft PowerPoint 2013 RT Service Pack 1 \n * Microsoft PowerPoint 2013 Service Pack 1 (32-bit editions) \n * Microsoft PowerPoint 2013 Service Pack 1 (64-bit editions) \n * Microsoft Word 2007 SP3 \n * Microsoft Word 2010 Service Pack 2 (32-bit editions) \n * Microsoft Word 2010 Service Pack 2 (64-bit editions) \n * Microsoft Word 2013 Service Pack 1 (32-bit editions) \n * Microsoft Word 2013 Service Pack 1 (64-bit editions) \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "reporter": "Symantec Security Response", "published": "2015-07-14T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "symantec", "title": "Microsoft Office CVE-2015-2424 Memory Corruption Vulnerability", "bulletinFamily": "software", "affectedSoftware": [{"name": "Microsoft PowerPoint", "version": "2007 SP3 ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2010 Service Pack 2 (32-bit editions) ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2007 SP3 ", "operator": "eq"}, {"name": "Microsoft PowerPoint", "version": "2010 Service Pack 2 (32-bit editions) ", "operator": "eq"}, {"name": "Microsoft PowerPoint", "version": "2013 Service Pack 1 (32-bit editions) ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2013 Service Pack 1 (32-bit editions) ", "operator": "eq"}, {"name": "Microsoft PowerPoint", "version": "2013 Service Pack 1 (64-bit editions) ", "operator": "eq"}, {"name": "Microsoft PowerPoint", "version": "2013 RT Service Pack 1 ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2013 Service Pack 1 (64-bit editions) ", "operator": "eq"}, {"name": "Microsoft PowerPoint", "version": "2010 Service Pack 2 (64-bit editions) ", "operator": "eq"}, {"name": "Microsoft Word", "version": "2010 Service Pack 2 (64-bit editions) ", "operator": "eq"}], "cvelist": ["CVE-2015-2424"], "modified": "2015-07-14T00:00:00", "id": "SMNTC-75744", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/75744", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kaspersky": [{"lastseen": "2018-09-13T06:47:41", "references": [], "description": "### *CVSS*:\n9.3\n\n### *Detect date*:\n07/14/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft office. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions, gain privileges or execute arbitrary code.\n\n### *Affected products*:\nMicrosoft Office 2007 Service Pack 3 \nMicrosoft Office 2010 Service Pack 2 \nMicrosoft Office 2013 Service Pack 1 \nMicrosoft Office 2013 RT Service Pack 1 \nMicrosoft Office for Mac 2011 \nMicrosoft Excel Viewer 2007 Service Pack 3 \nMicrosoft Office Compatibility Pack Service Pack 3 \nMicrosoft Word Viewer \nMicrosoft SharePoint Server 2007 Service Pack 3 \nMicrosoft SharePoint Server 2010 Service Pack 2 \nMicrosoft SharePoint Server 2013 Service Pack 1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2015-2377](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2377>) \n[CVE-2015-2376](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2376>) \n[CVE-2015-2375](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2375>) \n[CVE-2015-2379](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2379>) \n[CVE-2015-2378](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2378>) \n[CVE-2015-2380](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2380>) \n[CVE-2015-2424](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2424>) \n[CVE-2015-2415](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2415>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Office](<https://threats.kaspersky.com/en/product/Microsoft-Office/>)\n\n### *CVE-IDS*:\n[CVE-2015-2377](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2377>) \n[CVE-2015-2376](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2376>) \n[CVE-2015-2375](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2375>) \n[CVE-2015-2379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2379>) \n[CVE-2015-2378](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2378>) \n[CVE-2015-2380](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2380>) \n[CVE-2015-2424](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2424>) \n[CVE-2015-2415](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2415>) \n\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3072620](<http://support.microsoft.com/kb/3072620>) \n[2837612](<http://support.microsoft.com/kb/2837612>) \n[2965283](<http://support.microsoft.com/kb/2965283>) \n[2965208](<http://support.microsoft.com/kb/2965208>) \n[2965281](<http://support.microsoft.com/kb/2965281>) \n[2965209](<http://support.microsoft.com/kb/2965209>) \n[3073865](<http://support.microsoft.com/kb/3073865>) \n[3054981](<http://support.microsoft.com/kb/3054981>) \n[3054968](<http://support.microsoft.com/kb/3054968>) \n[3054996](<http://support.microsoft.com/kb/3054996>) \n[3054990](<http://support.microsoft.com/kb/3054990>) \n[3054861](<http://support.microsoft.com/kb/3054861>) \n[3054949](<http://support.microsoft.com/kb/3054949>) \n[3054958](<http://support.microsoft.com/kb/3054958>) \n[3054973](<http://support.microsoft.com/kb/3054973>) \n[3054963](<http://support.microsoft.com/kb/3054963>) \n[3054971](<http://support.microsoft.com/kb/3054971>) \n[3054999](<http://support.microsoft.com/kb/3054999>)", "edition": 13, "reporter": "Kaspersky Lab", "published": "2015-07-14T00:00:00", "title": "\r KLA10632Multiple vulnerabilities in Microsoft Office ", "type": "kaspersky", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2015-2377", "CVE-2015-2378", "CVE-2015-2376", "CVE-2015-2375", "CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380", "CVE-2015-2415"], "modified": "2018-09-10T00:00:00", "id": "KLA10632", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10632", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2018-09-01T23:41:54", "references": ["https://technet.microsoft.com/library/security/ms15-070"], "pluginID": "84739", "description": "The remote Windows host has a version of Microsoft Office, Microsoft Word, Microsoft Excel, Microsoft PowerPoint, SharePoint Server, or Microsoft Office Compatibility Pack installed that is affected by multiple vulnerabilities :\n\n - An ASLR bypass vulnerability exists in Microsoft Excel due to memory being released in an unintended manner. A remote attacker can exploit this by convincing a user to open a specially crafted Excel (.xls) file, allowing the attacker to more reliably predict the memory offsets of specific instructions in a given call stack. The attacker can then utilize this information to more easily exploit additional vulnerabilities.\n (CVE-2015-2375)\n\n - Multiple remote code execution vulnerabilities exist due to improper handling of objects in memory. A remote attacker can exploit these vulnerabilities by convincing a user to open a specially crafted file, resulting in the execution of arbitrary code in the context of the current user. (CVE-2015-2376, CVE-2015-2377, CVE-2015-2379, CVE-2015-2380, CVE-2015-2415, CVE-2015-2424)\n\n - A remote code execution vulnerability exists in Microsoft excel due to improper handling of the loading of dynamic link library (DLL) files. A remote attacker can exploit this vulnerability by placing a specially crafted DLL file in the user's current working directory and then convincing the user to launch a program designed to load the DLL, resulting in the execution of arbitrary code in the context of the current user.\n (CVE-2015-2378)", "edition": 6, "reporter": "Tenable", "published": "2015-07-14T00:00:00", "title": "MS15-070: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3072620)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "naslFamily": "Windows : Microsoft Bulletins", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2377", "CVE-2015-2378", "CVE-2015-2376", "CVE-2015-2375", "CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380", "CVE-2015-2415"], "modified": "2018-07-30T00:00:00", "cpe": ["cpe:/a:microsoft:sharepoint_server", "cpe:/a:microsoft:word", "cpe:/a:microsoft:word_viewer", "cpe:/a:microsoft:excel_viewer", "cpe:/a:microsoft:powerpoint", "cpe:/a:microsoft:office", "cpe:/a:microsoft:excel", "cpe:/a:microsoft:office_compatibility_pack"], "id": "SMB_NT_MS15-070.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84739", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84739);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/07/30 15:31:33\");\n\n script_cve_id(\n \"CVE-2015-2375\",\n \"CVE-2015-2376\",\n \"CVE-2015-2377\",\n \"CVE-2015-2378\",\n \"CVE-2015-2379\",\n \"CVE-2015-2380\",\n \"CVE-2015-2415\",\n \"CVE-2015-2424\"\n );\n #script_bugtraq_id();\n script_xref(name:\"MSFT\", value:\"MS15-070\");\n script_xref(name:\"MSKB\", value:\"2837612\");\n script_xref(name:\"MSKB\", value:\"2965208\");\n script_xref(name:\"MSKB\", value:\"2965209\");\n script_xref(name:\"MSKB\", value:\"2965281\");\n script_xref(name:\"MSKB\", value:\"2965283\");\n script_xref(name:\"MSKB\", value:\"3054861\");\n script_xref(name:\"MSKB\", value:\"3054949\");\n script_xref(name:\"MSKB\", value:\"3054958\");\n script_xref(name:\"MSKB\", value:\"3054963\");\n script_xref(name:\"MSKB\", value:\"3054968\");\n script_xref(name:\"MSKB\", value:\"3054971\");\n script_xref(name:\"MSKB\", value:\"3054973\");\n script_xref(name:\"MSKB\", value:\"3054981\");\n script_xref(name:\"MSKB\", value:\"3054990\");\n script_xref(name:\"MSKB\", value:\"3054996\");\n script_xref(name:\"MSKB\", value:\"3054999\");\n script_xref(name:\"IAVA\", value:\"2015-A-0163\");\n\n script_name(english:\"MS15-070: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3072620)\");\n script_summary(english:\"Checks the Office and SharePoint versions.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host has a version of Microsoft Office, Microsoft\nWord, Microsoft Excel, Microsoft PowerPoint, SharePoint Server, or\nMicrosoft Office Compatibility Pack installed that is affected by\nmultiple vulnerabilities :\n\n - An ASLR bypass vulnerability exists in Microsoft Excel\n due to memory being released in an unintended manner. A\n remote attacker can exploit this by convincing a user to\n open a specially crafted Excel (.xls) file, allowing the\n attacker to more reliably predict the memory offsets of\n specific instructions in a given call stack. The\n attacker can then utilize this information to more\n easily exploit additional vulnerabilities.\n (CVE-2015-2375)\n\n - Multiple remote code execution vulnerabilities exist\n due to improper handling of objects in memory. A remote\n attacker can exploit these vulnerabilities by convincing\n a user to open a specially crafted file, resulting in\n the execution of arbitrary code in the context of the\n current user. (CVE-2015-2376, CVE-2015-2377,\n CVE-2015-2379, CVE-2015-2380, CVE-2015-2415,\n CVE-2015-2424)\n\n - A remote code execution vulnerability exists in\n Microsoft excel due to improper handling of the loading\n of dynamic link library (DLL) files. A remote attacker\n can exploit this vulnerability by placing a specially\n crafted DLL file in the user's current working directory\n and then convincing the user to launch a program\n designed to load the DLL, resulting in the execution of\n arbitrary code in the context of the current user.\n (CVE-2015-2378)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://technet.microsoft.com/library/security/ms15-070\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Office 2007. Office 2010,\nOffice 2013, Word 2007, Word 2010, Word 2013, Excel 2007, Excel 2010,\nExcel 2013, PowerPoint 2007, PowerPoint 2010, PowerPoint 2013, Excel\nViewer, Word Viewer, Office Compatibility Pack, SharePoint Server\n2007, SharePoint Server 2010, and SharePoint Server 2013.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:powerpoint\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel_viewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word_viewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_compatibility_pack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"office_installed.nasl\", \"microsoft_sharepoint_installed.nbin\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nglobal_var bulletin, vuln;\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS15-070';\nkbs = make_list(\n 2837612, # SharePoint Server 2007 SP3\n 2965208, # Office Compat Pack SP3\n 2965209, # Excel Viewer 2007 SP3\n 2965281, # Excel 2007 SP3\n 2965283, # PowerPoint 2007 SP3\n 3054861, # SharePoint Server 2013 SP1\n 3054949, # Excel 2013 SP1\n 3054958, # Word Viewer\n 3054963, # PowerPoint 2010 SP2\n 3054968, # SharePoint Server 2010 SP2\n 3054971, # Office 2010 SP2\n 3054973, # Word 2010 SP2\n 3054981, # Excel 2010 SP2\n 3054990, # Word 2013 SP1\n 3054996, # Word 2007 SP3\n 3054999 # PowerPoint 2013 SP1\n);\n\n######################################################################\n# Main\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\", exit_code:1);\n\n# Get path information for Windows.\nwindir = hotfix_get_systemroot();\nif (isnull(windir)) exit(1, \"Failed to determine the location of %windir%.\");\nregistry_init();\n\n# Generic Office Checks\nfunction perform_office_checks()\n{\n local_var office_vers, office_sp, path;\n office_vers = hotfix_check_office_version();\n if (office_vers[\"12.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2007/SP\");\n if (!isnull(office_sp) && office_sp == 3)\n {\n path = hotfix_append_path(path:hotfix_get_officeprogramfilesdir(officever:\"12.0\"), value:\"Microsoft Office\\Office12\");\n if (hotfix_check_fversion(file:\"ppcore.dll\", version:\"12.0.6726.5000\", path:path, bulletin:bulletin, kb:\"2965283\", product:\"PowerPoint 2007 SP3\") == HCF_OLDER)\n vuln = TRUE;\n }\n }\n if (office_vers[\"14.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2010/SP\");\n if (!isnull(office_sp) && office_sp == 2)\n {\n path = hotfix_append_path(path:hotfix_get_officeprogramfilesdir(officever:\"14.0\"), value:\"Microsoft Office\\Office14\");\n if (hotfix_check_fversion(file:\"Wwlib.dll\", version:\"14.0.7153.5002\", path:path, bulletin:bulletin, kb:\"3054971\", product:\"Microsoft Office 2010\") == HCF_OLDER)\n vuln = TRUE;\n }\n }\n}\n\nfunction perform_office_product_checks()\n{\n local_var excel_checks, ppt_checks, word_checks, excel_vwr_checks, compat_checks, word_vwr_checks;\n\n ######################################################################\n # Excel\n ######################################################################\n excel_checks = make_array(\n \"12.0\", make_array(\"sp\", 3, \"version\", \"12.0.6723.5000\", \"kb\", \"2965281\"),\n \"14.0\", make_array(\"sp\", 2, \"version\", \"14.0.7153.5000\", \"kb\", \"3054981\"),\n \"15.0\", make_array(\"sp\", 1, \"version\", \"15.0.4737.1000\", \"kb\", \"3054949\")\n );\n if (hotfix_check_office_product(product:\"Excel\", checks:excel_checks, bulletin:bulletin))\n vuln = TRUE;\n\n ######################################################################\n # PowerPoint\n ######################################################################\n ppt_checks = make_array(\n \"14.0\", make_array(\"sp\", 2, \"version\", \"14.0.7138.5000\", \"kb\", \"3054963\"),\n \"15.0\", make_array(\"sp\", 1, \"version\", \"15.0.4737.1003\", \"kb\", \"3054999\")\n );\n if (hotfix_check_office_product(product:\"PowerPoint\", checks:ppt_checks, bulletin:bulletin))\n vuln = TRUE;\n\n ######################################################################\n # Word\n ######################################################################\n word_checks = make_array(\n \"12.0\", make_array(\"sp\", 3, \"version\", \"12.0.6726.5000\", \"kb\", \"3054996\"),\n \"14.0\", make_array(\"sp\", 2, \"version\", \"14.0.7153.5002\", \"kb\", \"3054973\"),\n \"15.0\", make_array(\"sp\", 1, \"version\", \"15.0.4737.1003\", \"kb\", \"3054990\")\n );\n if (hotfix_check_office_product(product:\"Word\", checks:word_checks, bulletin:bulletin))\n vuln = TRUE;\n\n ######################################################################\n # PowerPoint Viewer 2010\n # KB: 2956195 Fix Ver: 14.0.7149.5000\n ######################################################################\n excel_vwr_checks = make_array(\n \"12.0\", make_array(\"sp\", 3, \"version\", \"12.0.6723.5000\", \"kb\", \"2965209\")\n );\n if (hotfix_check_office_product(product:\"ExcelViewer\", display_name:\"Excel Viewer\", checks:excel_vwr_checks, bulletin:bulletin))\n vuln = TRUE;\n compat_checks = make_array(\n \"12.0\", make_array(\"sp\", 3, \"version\", \"12.0.6723.5000\", \"kb\", \"2965208\")\n );\n if (hotfix_check_office_product(product:\"ExcelCnv\", display_name:\"Office Compatibility Pack SP3\", checks:compat_checks, bulletin:bulletin))\n vuln = TRUE;\n word_vwr_checks = make_array(\n \"11.0\", make_array(\"version\", \"11.0.8419.0\", \"kb\", \"3054958\")\n );\n if (hotfix_check_office_product(product:\"WordViewer\", display_name:\"Word Viewer\", checks:word_vwr_checks, bulletin:bulletin))\n vuln = TRUE;\n}\n\n######################################################################\n# SharePoint\n######################################################################\nfunction perform_sharepoint_checks()\n{\n local_var sps_2007_path, sps_2007_sp, sps_2007_edition;\n local_var sps_2010_path, sps_2013_path, sps_2010_sp, sps_2013_sp, sps_2010_edition, sps_2013_edition;\n local_var installs, install, sp, path;\n local_var share, name, port, login, pass, domain, rc;\n local_var js, file, timestamp, kb, info;\n\n # Get installs of SharePoint\n sps_2007_path = NULL;\n sps_2010_path = NULL;\n sps_2013_path = NULL;\n sp = NULL;\n\n installs = get_installs(app_name:\"Microsoft SharePoint Server\");\n foreach install (installs[1])\n {\n if (install[\"Product\"] == \"2007\")\n {\n sps_2007_path = install[\"path\"];\n sps_2007_sp = install[\"SP\"];\n sps_2007_edition = install[\"Edition\"];\n }\n if (install['Product'] == \"2010\")\n {\n sps_2010_path = install['path'];\n sps_2010_sp = install['SP'];\n sps_2010_edition = install['Edition'];\n }\n else if (install['Product'] == \"2013\")\n {\n sps_2013_path = install['path'];\n sps_2013_sp = install['SP'];\n sps_2013_edition = install['Edition'];\n }\n }\n\n ######################################################################\n # SharePoint Server 2007 SP3 - Excel Services\n # KB: 2837612 File: xlsrv.dll Fix Ver: 12.0.6723.5000\n ######################################################################\n if (sps_2007_path && sps_2007_sp == \"3\" && sps_2007_edition == \"Server\")\n {\n path = hotfix_append_path(path:sps_2007_path, value:\"Bin\");\n if (hotfix_check_fversion(file:\"xlsrv.dll\", version:\"12.0.6723.5000\", path:path, bulletin:bulletin, kb:\"2837612\", product:\"Office SharePoint Server 2007 Excel Services\") == HCF_OLDER)\n vuln = TRUE;\n }\n\n ######################################################################\n # SharePoint Server 2010 SP2 - Excel Services\n # KB: 3054968 File: xlsrv.dll Fix Ver: 14.0.7153.5000\n ######################################################################\n if (sps_2010_path && sps_2010_sp == \"2\" && sps_2010_edition == \"Server\")\n {\n path = hotfix_append_path(path:sps_2010_path, value:\"Bin\");\n if (hotfix_check_fversion(file:\"xlsrv.dll\", version:\"14.0.7153.5000\", path:path, bulletin:bulletin, kb:\"3054968\", product:\"Office SharePoint Server 2010 Excel Services\") == HCF_OLDER)\n vuln = TRUE;\n }\n\n ######################################################################\n # SharePoint Server 2013 SP1 - Excel Services\n # KB: 3054861 File: xlsrv.dll Fix Ver: 15.0.4737.1000\n ######################################################################\n if (sps_2013_path && sps_2013_sp == \"1\" && sps_2013_edition == \"Server\")\n {\n path = hotfix_append_path(path:sps_2013_path, value:\"Bin\");\n if (hotfix_check_fversion(file:\"xlsrv.dll\", version:\"15.0.4737.1000\", path:path, bulletin:bulletin, kb:\"3054861\", product:\"Office SharePoint Server 2013 Excel Services\") == HCF_OLDER)\n vuln = TRUE;\n }\n}\n\nperform_office_checks();\nperform_office_product_checks();\nperform_sharepoint_checks();\n\nif (vuln)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-02T00:10:41", "references": ["https://technet.microsoft.com/library/security/ms15-070"], "pluginID": "84740", "description": "The remote Mac OS X host has a version of Microsoft Excel installed that is affected by multiple remote code execution vulnerabilities due to improper handling of objects in memory. A remote attacker can exploit these vulnerabilities by convincing a user to open a specially crafted file, resulting in the execution of arbitrary code in the context of the current user.", "edition": 7, "reporter": "Tenable", "published": "2015-07-14T00:00:00", "title": "MS15-070: Vulnerability in Microsoft Office Could Allow Remote Code Execution (3072620)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "MacOS X Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2376", "CVE-2015-2379"], "modified": "2018-08-10T00:00:00", "cpe": ["cpe:/a:microsoft:office:2011:mac"], "id": "MACOSX_MS15-070_OFFICE_2011.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84740", "sourceData": "#TRUSTED 675d051933d47e632d14be94ba148a638cf8e46157911e82564b1cb9c58176e26bf498ef4d97b669e8d332d8e3fa8f1b1be924aee942bff09658b0364fcc190da71e5d7ac943440d0d2a4631c223df692e5b8807d86a9c54105920ab9e1e57ac608a25c4d9588fd021e73a12a4c7e38a716671b3ec5f8d74369e034f33f9e47e6174725ac0aea1eb443684b92672e625373eef288963701f78e6b198adb21487380a42c0b34830fea89592670e4007aa6d26fd373078c1ef369893be5db727707b45aea1084b041f7151a8c247db95cd9ce754e6235f2282d6d3c2bf9eeda9c3c2963094cb990bd9c66d01151033cc5c114577f196416a09817d7fcd8d51531347a6be9906abbad62d06b797e3dc8f57cbb3989213d920e64d5c14fd2be5d699bd799577f2d6a75593b4a41dbbbf93830436af0c1ff74b6780499cd0d726e81a1f6565c00815fd9b9f257f696727ac101ba039d0f9baeb56884a015e078e68dfaa8e90f599571adba68f8b8ae0d2d0ac3d4ff3caa4a35fcf81cd6e17d234c83cf23cbeef37c5a459360e7c8a2c597cbed321d27a48d3a9455a79313634b18da55f372dfdc66b3d216c1772b6c0fc5475c93e8dfa5836bdbfcbd8c62f3c373ebde3c09d463716c4a56c9c19db74cacf48c77900a3af89d2c0cdf4b95d556490cba6564dddf11f0c54965a0b24d63d574f3cb47b77d3146954ef0f25376178664c\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84740);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2018/08/10\");\n\n script_cve_id(\"CVE-2015-2376\", \"CVE-2015-2379\");\n script_xref(name:\"MSFT\", value:\"MS15-070\");\n script_xref(name:\"IAVA\", value:\"2015-A-0163\");\n script_xref(name:\"MSKB\", value:\"3073865\");\n\n script_name(english:\"MS15-070: Vulnerability in Microsoft Office Could Allow Remote Code Execution (3072620)\");\n script_summary(english:\"Checks the version of Microsoft Office.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote Mac OS X host is affected by\nmultiple remote code execution vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Mac OS X host has a version of Microsoft Excel installed\nthat is affected by multiple remote code execution vulnerabilities due\nto improper handling of objects in memory. A remote attacker can\nexploit these vulnerabilities by convincing a user to open a specially\ncrafted file, resulting in the execution of arbitrary code in the\ncontext of the current user.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://technet.microsoft.com/library/security/ms15-070\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a patch for Office for Mac 2011.\n\nNote that Microsoft has re-released the patch to update the version\nof Microsoft Office for Mac to version 14.5.3 to address a potential\nissue with Microsoft Outlook for Mac. Microsoft recommends that this\nupdate is applied.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office:2011:mac\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"ssh_func.inc\");\ninclude(\"macosx_func.inc\");\n\n\nif(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)\n enable_ssh_wrappers();\nelse disable_ssh_wrappers();\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\n# Gather version info.\ninfo = '';\ninstalls = make_array();\n\nprod = 'Office for Mac 2011';\nplist = \"/Applications/Microsoft Office 2011/Office/MicrosoftComponentPlugin.framework/Versions/14/Resources/Info.plist\";\ncmd = 'cat \\'' + plist + '\\' | ' +\n 'grep -A 1 CFBundleShortVersionString | ' +\n 'tail -n 1 | ' +\n 'sed \\'s/.*string>\\\$.*\\\$<\\\\/string>.*/\\\\1/g\\'';\nversion = exec_cmd(cmd:cmd);\nif (version && version =~ \"^[0-9]+\\.\")\n{\n version = chomp(version);\n if (version !~ \"^14\\.\") exit(1, \"Failed to get the version for \"+prod+\" - '\"+version+\"'.\");\n\n installs[prod] = version;\n\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n fixed_version = '14.5.3';\n fix = split(fixed_version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\n for (i=0; i<max_index(fix); i++)\n if ((ver[i] < fix[i]))\n {\n info +=\n '\\n Product : ' + prod +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n break;\n }\n else if (ver[i] > fix[i])\n break;\n}\n\n# Report findings.\nif (info)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:info);\n else security_hole(0);\n\n exit(0);\n}\nelse\n{\n if (max_index(keys(installs)) == 0) exit(0, \"Office for Mac 2011 is not installed.\");\n else\n {\n msg = 'The host has ';\n foreach prod (sort(keys(installs)))\n msg += prod + ' ' + installs[prod] + ' and ';\n msg = substr(msg, 0, strlen(msg)-1-strlen(' and '));\n\n msg += ' installed and thus is not affected.';\n\n exit(0, msg);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:01", "references": [], "description": "Memory corruptions, DLL planting, restrictions bypass.", "edition": 1, "reporter": "MICROSOFT", "published": "2015-07-19T00:00:00", "title": "Microsoft Office multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:01", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "SharePoint Server", "version": "2007", "operator": "eq"}, {"name": "Office", "version": "2013", "operator": "eq"}, {"name": "Office", "version": "2010", "operator": "eq"}, {"name": "SharePoint Server", "version": "2010", "operator": "eq"}, {"name": "Office", "version": "2007", "operator": "eq"}, {"name": "SharePoint Server", "version": "2013", "operator": "eq"}], "cvelist": ["CVE-2015-2377", "CVE-2015-2378", "CVE-2015-2376", "CVE-2015-2375", "CVE-2015-2424", "CVE-2015-2379", "CVE-2015-2380", "CVE-2015-2415"], "modified": "2015-07-19T00:00:00", "id": "SECURITYVULNS:VULN:14595", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14595", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-09-17T13:35:53", "references": ["https://technet.microsoft.com/en-us/library/security/MS15-070", "https://support.microsoft.com/en-us/kb/3054958"], "pluginID": "1361412562310805814", "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "edition": 6, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-07-15T00:00:00", "title": "Microsoft Office Word Viewer Memory Corruption Vulnerability (3072620)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Windows : Microsoft Bulletins", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2379"], "modified": "2018-09-17T00:00:00", "id": "OPENVAS:1361412562310805814", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805814", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_word_viewer_ms15-070.nasl 11424 2018-09-17 08:03:52Z mmartin $\n#\n# Microsoft Office Word Viewer Memory Corruption Vulnerability (3072620)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805814\");\n script_version(\"$Revision: 11424 $\");\n script_cve_id(\"CVE-2015-2379\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-17 10:03:52 +0200 (Mon, 17 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-15 12:17:26 +0530 (Wed, 15 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Word Viewer Memory Corruption Vulnerability (3072620)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-070.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the vulnerable file version and check\n appropriate patch is applied or not.\");\n\n script_tag(name:\"insight\", value:\"Flaw is due to improper handling of files\n in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Word Viewer\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and update mentioned hotfixes in the advisory from the\n below link, https://technet.microsoft.com/en-us/security/bulletin/ms15-070\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3054958\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/MS15-070\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"SMB/Office/WordView/Version\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nwordviewVer = get_kb_item(\"SMB/Office/WordView/Version\");\nif(wordviewVer)\n{\n if(version_in_range(version:wordviewVer, test_version:\"11.0\", test_version2:\"11.0.8418\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:49:08", "references": ["https://support.microsoft.com/en-us/kb/3054999", "https://technet.microsoft.com/en-us/library/security/MS15-070", "https://support.microsoft.com/en-us/kb/3054963", "https://support.microsoft.com/en-us/kb/2965283"], "pluginID": "1361412562310805810", "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "edition": 4, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-07-15T00:00:00", "title": "Microsoft Office PowerPoint Remote Code Execution Vulnerability (3072620)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Windows : Microsoft Bulletins", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2424"], "modified": "2017-07-04T00:00:00", "id": "OPENVAS:1361412562310805810", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805810", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_powerpoint_ms15-070.nasl 6523 2017-07-04 15:46:12Z cfischer $\n#\n# Microsoft Office PowerPoint Remote Code Execution Vulnerability (3072620)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805810\");\n script_version(\"$Revision: 6523 $\");\n script_cve_id(\"CVE-2015-2424\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-04 17:46:12 +0200 (Tue, 04 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-15 10:27:38 +0530 (Wed, 15 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office PowerPoint Remote Code Execution Vulnerability (3072620)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-070.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the vulnerable file version and check\n appropriate patch is applied or not.\");\n\n script_tag(name:\"insight\", value:\"Flaw is due to improper handling of files\n in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\n\n Impact Level: System/Application\");\n\n script_tag(name:\"affected\", value:\"\n Microsoft PowerPoint 2007 Service Pack 3 and prior,\n Microsoft PowerPoint 2010 Service Pack 2 and prior,\n Microsoft PowerPoint 2013 Service Pack 1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed\n hotfixes or download and update mentioned hotfixes in the advisory from the\n below link, https://technet.microsoft.com/en-us/security/bulletin/ms15-070\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/2965283\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054963\");\n script_xref(name : \"URL\" , value : \"https://support.microsoft.com/en-us/kb/3054999\");\n script_xref(name : \"URL\" , value : \"https://technet.microsoft.com/en-us/library/security/MS15-070\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\", \"SMB/Office/PowerPnt/Version\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variable initialization\noffPath = \"\";\npptVer = \"\";\ndllVer = \"\";\npath = \"\";\n\n## Get Powerpoint Version\npptVer = get_kb_item(\"SMB/Office/PowerPnt/Version\");\nif(!pptVer){\n exit(0);\n}\n\n# Office Power Point for 2007/2010/2013\npath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"ProgramFilesDir\");\nif(!path){\n exit(0);\n}\n\nforeach ver (make_list(\"\\OFFICE12\", \"\\OFFICE14\", \"\\OFFICE15\"))\n{\n ## Get Version from Ppcore.dll\n offPath = path + \"\\Microsoft Office\" + ver ;\n dllVer = fetch_file_version(sysPath:offPath, file_name:\"ppcore.dll\");\n\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"12.0\", test_version2:\"12.0.6726.4999\") ||\n version_in_range(version:dllVer, test_version:\"14.0\", test_version2:\"14.0.7153.5001\") ||\n version_in_range(version:dllVer, test_version:\"15.0\", test_version2:\"15.0.4737.1002\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-17T13:36:38", "references": ["https://support.microsoft.com/en-us/kb/3073865", "https://technet.microsoft.com/en-us/library/security/MS15-070"], "pluginID": "1361412562310805923", "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-070.", "edition": 5, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-07-16T00:00:00", "title": "Microsoft Office Excel Remote Code Execution Vulnerabilities-3072620 (Mac OS X)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Mac OS X Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2376", "CVE-2015-2379"], "modified": "2018-09-17T00:00:00", "id": "OPENVAS:1361412562310805923", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805923", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms15-070_macosx.nasl 11424 2018-09-17 08:03:52Z mmartin $\n#\n# Microsoft Office Excel Remote Code Execution Vulnerabilities-3072620 (Mac OS X)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805923\");\n script_version(\"$Revision: 11424 $\");\n script_cve_id(\"CVE-2015-2376\", \"CVE-2015-2379\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-17 10:03:52 +0200 (Mon, 17 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-16 10:57:22 +0530 (Thu, 16 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Excel Remote Code Execution Vulnerabilities-3072620 (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-070.\");\n\n script_tag(name:\"vuldetect\", value:\"Get the vulnerable file version and check\n appropriate patch is applied or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to improper handling\n of files in the memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to run arbitrary code in the context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2011 on Mac OS X\");\n\n script_tag(name:\"solution\", value:\"Apply the patch from below link,\n https://technet.microsoft.com/en-us/library/security/MS15-070\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3073865\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/MS15-070\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gb_microsoft_office_detect_macosx.nasl\");\n script_mandatory_keys(\"MS/Office/MacOSX/Ver\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\noffVer = get_kb_item(\"MS/Office/MacOSX/Ver\");\n\nif(!offVer || !(offVer =~ \"^14\")){\n exit(0);\n}\n\nif(version_in_range(version:offVer, test_version:\"14.0\", test_version2:\"14.5.2\"))\n{\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2016-09-04T20:45:11", "references": ["https://threatpost.com/latest-windows-uac-bypass-permits-code-execution/119887/", "https://threatpost.com/eff-blasts-microsoft-over-malicious-windows-10-rollout-tactics/120006/", "https://threatpost.com/oracle-patches-java-zero-day/113792", "https://technet.microsoft.com/en-us/library/security/MS15-070", "https://threatpost.com/russian-apt28-group-linked-to-nato-political-attacks/109049", "http://www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/", "https://threatpost.com/microsoft-patches-hacking-team-windows-kernel-zero-day/113788", "https://threatpost.com/threatpost-news-wrap-august-19-2016/120003/"], "edition": 1, "description": "An APT group thought to be tied to Russia is flying against conventional wisdom, having as recently as the last three weeks dropped its sixth zero-day in the past four months.\n\nGiven the underground value of unpatched and unreported vulnerabilities, this is highly unusual behavior, even for a state-sponsored cyberespionage team.\n\n### Related Posts\n\n#### [Threatpost News Wrap, August 19, 2016](<https://threatpost.com/threatpost-news-wrap-august-19-2016/120003/> \"Permalink to Threatpost News Wrap, August 19, 2016\" )\n\nAugust 19, 2016 , 9:00 am\n\n#### [EFF Blasts Microsoft Over \u2018Malicious\u2019 Windows 10 Rollout Tactics](<https://threatpost.com/eff-blasts-microsoft-over-malicious-windows-10-rollout-tactics/120006/> \"Permalink to EFF Blasts Microsoft Over \u2018Malicious\u2019 Windows 10 Rollout Tactics\" )\n\nAugust 18, 2016 , 4:38 pm\n\n#### [Latest Windows UAC Bypass Permits Code Execution](<https://threatpost.com/latest-windows-uac-bypass-permits-code-execution/119887/> \"Permalink to Latest Windows UAC Bypass Permits Code Execution\" )\n\nAugust 15, 2016 , 3:35 pm\n\nNonetheless, [APT 28](<https://threatpost.com/russian-apt28-group-linked-to-nato-political-attacks/109049>), also known by other nicknames such as Tsar Team, Operation Pawn Storm, and Sednit, has been a busy gang targeting government agencies and military operations with a host of Adobe Flash, Microsoft and Java-based zero-days at their disposal.\n\nThis week alone, two zero-days attributed to this team disappeared when they were [patched by Microsoft](<https://threatpost.com/microsoft-patches-hacking-team-windows-kernel-zero-day/113788>) and Oracle in Office and Java respectively. Researchers at [iSight Partners](<http://www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/>) reported the Office zero-day to Microsoft on June 30 and it was patched on Tuesday in [MS15-070](<https://technet.microsoft.com/en-us/library/security/MS15-070>), an Office security bulletin that patched 13 other vulnerabilities in the software. Later that night, [Oracle erased a Java zero-day](<https://threatpost.com/oracle-patches-java-zero-day/113792>) in its quarterly Critical Patch Update that was used against a U.S.-based defense contractor and foreign military outfits. It was the first Java zero day actively exploited in the wild since 2013, experts said.\n\nAPT 28 keeps a vast arsenal of malware and domains under its control, according to researchers Brian Bartholomew and Jonathan Leathery of iSight.\n\n\u201cThis indicates it\u2019s not a handful of guys; this is an organization managing this stuff,\u201d Bartholomew said, adding that the group has also been known to use cryptocurrency such as Bitcoin to buy domains in order to hide registration information and remain anonymous. \u201cIt\u2019s hard to manage that much infrastructure that they own.\u201d\n\nFive of the half-dozen zero days, Bartholomew said, were built in-house by APT 28, while the sixth, CVE-2015-5119, was a repurposed Flash 0day that was put into use 24 hours after it was uncovered after the Hacking Team breach.\n\n\u201cThey actually rewrote it, which is interesting. It\u2019s not just a copy of the [Hacking Team] proof of concept with their own shell code added,\u201d Bartholomew said.\n\nThe Office zero day, CVE-2015-2424, was likely still under development since iSight researchers said it was still fairly buggy and unreliable. It was likely spread via spear phishing emails, specifically targeting individuals or groups within sensitive organizations. The lure found by iSight was a Word document purporting to be an analysis of the Iran nuclear deal.\n\n\u201cIt\u2019s a heap corruption vulnerability in Office where it\u2019s mishandling an object in memory, which allowed for remote code execution from the weaponized document,\u201d Leathery said, adding that the message also included a CNN article on the Iran deal published June 28. The likely targets were the former Soviet republic of Georgia.\n\nThe payload is a variant of the Sofacy or Sednit Trojan, which immediately opens a backdoor to a number of attacker-controlled domains where stolen data is sent. Some of the domains, iSight said, are benign or do not belong to the APT group, a false-flag of sorts. The targets are government agencies in Eastern Europe or NATO, along with critical industries such as nuclear, telecommunications, defense industrial base and diplomatic interests.\n\nThe group is not only adept at gathering intelligence from foreign interests, but also focuses on internal dissidents and threats to national security in Russia, iSight said. One counter-terrorism operation attributed to this group is the so-called Cyber Caliphate hacktivist operation, where hackers posing as ISIS supporters set up lures via social media or forums trying to attract those sympathetic to the Islamic State. Once some confidence is established with a target via direct messaging, APT 28 would entice them to install an application that was malicious and allowed them to monitor the dissidents\u2019 activities.\n\nDespite the fact that this particular Office\u2014and Java\u2014zero day has been patched, iSight believes APT 28 is well resourced and has more at its disposal.\n\n\u201cThis throws a wrench in their plans; usually they can get a few months out of a zero day before a patch is out,\u201d Bartholomew said. \u201cIt\u2019s unprecedented using this many zero days, but at the same time, they have access to developers who can build these or have the resources to buy them.\u201d", "reporter": "Michael Mimoso", "published": "2015-07-16T13:46:00", "title": "Office, Java Patches Erase Latest APT 28 Zero Days", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "threatpost", "threatPostCategory": "Malware", "bulletinFamily": "info", "cvelist": ["CVE-2015-5119", "CVE-2015-2424"], "modified": "2015-07-21T20:45:15", "href": "https://threatpost.com/office-java-patches-erase-latest-apt-28-zero-days/113825/", "id": "OFFICE-JAVA-PATCHES-ERASE-LATEST-APT-28-ZERO-DAYS/113825", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}