{"cve": [{"lastseen": "2021-02-02T05:31:21", "description": "Unspecified vulnerability in Microsoft Word 2000 allows remote attackers to cause a denial of service (crash) via unknown vectors, a different vulnerability than CVE-2006-5994, CVE-2006-6456, CVE-2006-6561, and CVE-2007-0515, a variant of Exploit-MS06-027.", "edition": 4, "cvss3": {}, "published": "2007-02-11T21:28:00", "title": "CVE-2007-0870", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-0870"], "modified": "2018-10-16T16:34:00", "cpe": ["cpe:/a:microsoft:word:2000"], "id": "CVE-2007-0870", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0870", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:29", "bulletinFamily": "software", "cvelist": ["CVE-2007-0870"], "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://www.microsoft.com/technet/security/advisory/933052.mspx)\nSecurity Tracker: 1017653\n[Secunia Advisory ID:24122](https://secuniaresearch.flexerasoftware.com/advisories/24122/)\nOther Advisory URL: http://www.avertlabs.com/research/blog/?p=206\nOther Advisory URL: http://www.avertlabs.com/research/blog/?p=199\nMicrosoft Security Bulletin: MS07-024\nMicrosoft Knowledge Base Article: 934232\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-02/0370.html\nISS X-Force ID: 32503\nFrSIRT Advisory: ADV-2007-0607\n[CVE-2007-0870](https://vulners.com/cve/CVE-2007-0870)\nCERT VU: 332404\nBugtraq ID: 22567\n", "edition": 1, "modified": "2007-02-09T03:03:57", "published": "2007-02-09T03:03:57", "href": "https://vulners.com/osvdb/OSVDB:33196", "id": "OSVDB:33196", "title": "Microsoft Word Unspecified Memory Corruption Arbitrary Code Execution (934232)", "type": "osvdb", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2020-09-18T20:42:51", "bulletinFamily": "info", "cvelist": ["CVE-2007-0870"], "description": "### Overview \n\nA vulnerability in the way Microsoft Word handles malformed Word Document streams could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nMicrosoft Word contains a memory corruption vulnerability that could be triggered when Word opens a document containing a malformed Word Document stream. Although this vulnerability was initially [reported](<http://www.avertlabs.com/research/blog/?p=206>) to only cause a denial-of-service, it is now believed that it can be used to execute arbitrary code. \n\nNote that this vulnerability is actively being exploited. \n \nMore information is available in Microsoft Security Bulletin [MS07-024](<http://www.microsoft.com/technet/security/bulletin/ms07-024.mspx>). \n \n--- \n \n### Impact \n\nBy convincing a user to open a specially crafted Word document, a remote, unauthenticated attacker could execute arbitrary code with the privileges of the user running Word. If the user is logged in with administrative privileges, the attacker could take complete control of a vulnerable system. \n \n--- \n \n### Solution \n\n**Apply an update** \nThis vulnerability is addressed by the updates included with Microsoft Security Bulletin [MS07-024](<http://www.microsoft.com/technet/security/bulletin/ms07-024.mspx>). \n \n--- \n \n \n**Do not open untrusted Word documents** \n \nDo not open unfamiliar or unexpected Word or other Office documents, particularly those hosted on web sites or delivered as email attachments. Please see Cyber Security Tip [ST04-010](<http://www.us-cert.gov/cas/tips/ST04-010.html>).** \n \nDo not rely on file name extension filtering** \n \nIn most cases, Windows will call Word to open a document even if the document has an unknown file extension. For example, if `document.qwer` contains the correct file header information, Windows will open `document.qwer` with Word. Filtering for common extensions (e.g., .doc, and .dot) will not detect all Word documents. \n** \nDisable automatic opening of Microsoft Office documents** \n \nBy default, Microsoft Office 97 and Microsoft Office 2000 will configure Internet Explorer to automatically open Microsoft Office documents. This feature can be disabled by using the [Office Document Open Confirmation Tool](<http://www.microsoft.com/downloads/details.aspx?familyid=8B5762D2-077F-4031-9EE6-C9538E9F2A2F&displaylang=en>). Mozilla Firefox users should disable automatic opening of files, as specified in the [Securing Your Web Browser](<http://www.us-cert.gov/reading_room/securing_browser/#ffdownloadactions>) document. \n \n**Open untrusted Word documents using the Microsoft Office Isolated Conversion Environment (MOICE)** \n \nOffice 2003 and 2007 users may wish to consider MOICE as a tool to securely preview untrusted Office documents. According to [Microsoft](<http://support.microsoft.com/kb/935865>): \n \n_MOICE uses the 2007 Microsoft Office system converters to convert the Office binary format files into the Office Open XML format. This process helps remove the potential threat that may exist if the document is opened in the binary format. Additionally, MOICE converts incoming files in an isolated environment. This helps protect the computer from a potential threat._ \nInstructions on how to install and configure MOICE are available in Microsoft KnowledgeBase article [935865](<http://support.microsoft.com/kb/935865>) and Microsoft Security Advisory ([937696](<http://www.microsoft.com/technet/security/advisory/937696.mspx>)). \n \n--- \n \n### Vendor Information\n\n332404\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation __ Affected\n\nUpdated: May 08, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRefer to <http://www.microsoft.com/technet/security/bulletin/ms07-024.mspx>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23332404 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.microsoft.com/technet/security/bulletin/ms07-024.mspx>\n * <http://www.microsoft.com/technet/security/advisory/933052.mspx>\n * <http://www.avertlabs.com/research/blog/?p=206>\n * <http://www.avertlabs.com/research/blog/?p=199>\n * <http://isc.sans.org/diary.html?storyid=1940>\n * [http://isc.sans.org/diary.html?n&storyid=2226](<http://isc.sans.org/diary.html?n&storyid=2226>)\n * <http://secunia.com/advisories/24122/>\n * <http://securitytracker.com/alerts/2007/Feb/1017653.html>\n * <http://www.securityfocus.com/bid/22567>\n\n### Acknowledgements\n\nThis vulnerability was reported by McAfee Avert Labs.\n\nThis document was written by Jeff Gennari.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-0870](<http://web.nvd.nist.gov/vuln/detail/CVE-2007-0870>) \n---|--- \n**Severity Metric:** | 8.78 \n**Date Public:** | 2007-02-09 \n**Date First Published:** | 2007-02-15 \n**Date Last Updated: ** | 2007-06-15 21:54 UTC \n**Document Revision: ** | 27 \n", "modified": "2007-06-15T21:54:00", "published": "2007-02-15T00:00:00", "id": "VU:332404", "href": "https://www.kb.cert.org/vuls/id/332404", "type": "cert", "title": "Microsoft Word fails to properly handle malformed strings", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:21", "bulletinFamily": "software", "cvelist": ["CVE-2007-0870"], "description": "Microsoft Security Advisory (933052)\r\nVulnerability in Microsoft Word Could Allow Remote Code Execution\r\nPublished: February 14, 2007\r\n\r\nMicrosoft is investigating new public reports of very limited, targeted attacks against Microsoft Word \u201czero-day\u201d using a vulnerability in Microsoft Office 2000 and Microsoft Office XP.\r\n\r\nIn order for this attack to be carried out, a user must first open a malicious Office file attached to an e-mail or otherwise provided to them by an attacker.\r\n\r\nAs a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources. Microsoft has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability.\r\n\r\nMicrosoft intends to actively share information with Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks.\r\n\r\nCustomers in the U.S. and Canada who believe they are affected can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nUpon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.\r\nGeneral Information\r\n\t\r\nOverview\r\n\r\nPurpose of Advisory: To provide customers with initial notification of the publicly disclosed vulnerability. For more information see the \u201cWorkarounds and Mitigations\u201d and \u201cSuggested Actions\u201d section of the security advisory.\r\n\r\nAdvisory Status: Under Investigation.\r\n\r\nRecommendation: Do not open or save Office files that you receive from un-trusted sources or that are received unexpected from trusted sources. This vulnerability could be exploited when a user opens a file.\r\nReferences\tIdentification\r\n\r\nCVE Reference\r\n\t\r\n\r\nCVE-2007-0870\r\n\r\nThis advisory discusses the following software.\r\nReferences\r\n\r\nOffice 2000\r\n\r\nOffice XP\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions\r\n\r\nWhat is the scope of the advisory?\r\nMicrosoft is aware of a new vulnerability report affecting Word, which is a component of Microsoft Office. This vulnerability affects the software that is listed in the \u201cOverview\u201d section.\r\n\r\nIs this a security vulnerability that requires Microsoft to issue a security update?\r\nMicrosoft is developing a security update for Office that addresses this vulnerability.\r\n\r\nWhat versions of Microsoft Office are associated with this advisory?\r\nThis advisory addresses Office 2000 and Office XP.\r\n\r\nWhat causes the vulnerability?\r\nWhen a user opens a specially crafted Word file using a malformed string, it may corrupt system memory in such a way that an attacker could execute arbitrary code.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nIn a Web-based attack scenario, an attacker would have to host a Web site that contains a Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.\r\n\r\nIn an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted file to the user and by persuading the user to open the file.\r\nTop of sectionTop of section\r\n\t\r\nMitigating Factors for Microsoft Word Remote Code Execution Vulnerability:\r\n\u2022\t\r\n\r\nThe vulnerability cannot be exploited on Office 2007, Office 2003 or Word 2003 Viewer.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker would have to host a Web site that contains an Office file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.\r\n\u2022\t\r\n\r\nThe vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message.\r\n\u2022\t\r\n\r\nUsers who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Microsoft Word Remote Code Vulnerability:\r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.\r\n\u2022\t\r\n\r\nDo not open or save Office files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Office file.\r\nTop of sectionTop of section\r\n\t\r\nSuggested Actions\r\n\u2022\t\r\n\r\nProtect Your PC\r\n\r\nWe continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site.\r\n\u2022\t\r\n\r\nFor more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page.\r\n\u2022\t\r\n\r\nCustomers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country.\r\n\r\nAll customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site.\r\n\u2022\t\r\n\r\nWe recommend that customers exercise extreme caution when they accept file transfers from both known and unknown sources. For more information about how to help protect your computer while you use MSN Messenger, visit the MSN Messenger Frequently Asked Questions Web site.\r\n\r\nKeep Windows Updated\r\n\u2022\t\r\n\r\nAll Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.\r\nTop of sectionTop of section\r\n\r\nResources:\r\n\u2022\t\r\n\r\nYou can provide feedback by completing the form by visiting the following Web site.\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.\r\n\u2022\t\r\n\r\nThe Microsoft TechNet Security Web site provides additional information about security in Microsoft products.\r\n\r\nDisclaimer:\r\n\r\nThe information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions: \r\n\u2022\t\r\n\r\nV1.0 (February 14, 2007): Advisory published.", "edition": 1, "modified": "2007-02-16T00:00:00", "published": "2007-02-16T00:00:00", "id": "SECURITYVULNS:DOC:16098", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16098", "title": "Microsoft Security Advisory (933052) Vulnerability in Microsoft Word Could Allow Remote Code Executio", "type": "securityvulns", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:22", "bulletinFamily": "software", "cvelist": ["CVE-2007-0035", "CVE-2007-0870", "CVE-2007-1202"], "description": "Microsoft Security Bulletin MS07-024\r\nVulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232)\r\nPublished: May 8, 2007\r\n\r\nVersion: 1.0\r\nSummary\r\n\r\nWho Should Read this Document: Customers who use Microsoft Word\r\n\r\nImpact of Vulnerability: Remote Code Execution\r\n\r\nMaximum Severity Rating: Critical\r\n\r\nRecommendation: Customers should apply the update immediately\r\n\r\nSecurity Update Replacement: This bulletin replaces a prior security update. See the Frequently Asked Questions (FAQ) section of this bulletin for details.\r\n\r\nCaveats: None\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software:\r\n\u2022\t\r\n\r\nMicrosoft Office 2000 Service Pack 3\r\n\u2022\t\r\n\r\nMicrosoft Word 2000 - Download the update (KB934392)\r\n\u2022\t\r\n\r\nMicrosoft Office XP Service Pack 3\r\n\u2022\t\r\n\r\nMicrosoft Word 2002 - Download the update (KB934394)\r\n\u2022\t\r\n\r\nMicrosoft Office 2003 Service Pack 2\r\n\u2022\t\r\n\r\nMicrosoft Word 2003 - Download the update (KB934181)\r\n\u2022\t\r\n\r\nMicrosoft Word Viewer 2003 - Download the update (KB934041)\r\n\u2022\t\r\n\r\nMicrosoft Office 2004 for Mac - Download the update (KB936749)\r\n\u2022\t\r\n\r\nMicrosoft Works Suites:\r\n\u2022\t\r\n\r\nMicrosoft Works Suite 2004 - Download the update (KB934394) (same as the Microsoft Word 2002 update)\r\n\u2022\t\r\n\r\nMicrosoft Works Suite 2005 - Download the update (KB934394) (same as the Microsoft Word 2002 update)\r\n\u2022\t\r\n\r\nMicrosoft Works Suite 2006 - Download the update (KB934394) (same as the Microsoft Word 2002 update)\r\n\r\nNon-Affected Software:\r\n\u2022\t\r\n\r\n2007 Microsoft Office System\r\n\u2022\t\r\n\r\nMicrosoft Word 2007\r\n\r\nThe software in this list has been tested to determine whether the versions are affected. Other versions are either past their support life cycle or are not affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\nTop of sectionTop of section\r\nGeneral Information\r\n\t\r\nExecutive Summary\r\n\r\nExecutive Summary:\r\n\r\nThis update resolves several newly discovered, privately and publicly reported vulnerabilities. Each vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin.\r\n\r\nWe recommend that customers apply the update immediately.\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\nVulnerability Identifiers\tImpact of Vulnerability\tMicrosoft Word 2000 Service Pack 3\tMicrosoft Word 2002 Service Pack 3\tMicrosoft Word 2003 Service Pack 2\tMicrosoft Word Viewer 2003 \tMicrosoft Works Suite 2004, 2005, and 2006\tMicrosoft Office 2004 for Mac\r\n\r\nWord Array Overflow Vulnerability - CVE-2007-0035\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\r\nWord Document Stream Vulnerability - CVE-2007-0870\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\t\r\n\r\nNone\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWord RTF Parsing Vulnerability - CVE-2007-1202\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\r\nAggregate Severity of All Vulnerabilities\r\n\t\r\n\r\n \r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant.\r\n\r\nThis assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nWhy does this update address several reported security vulnerabilities? \r\nThis update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers can install only this update.\r\n\r\nWhat updates does this release replace? \r\nThis security update replaces a prior security update. The security bulletin ID and affected software is listed in the following table.\r\nBulletin ID\tMicrosoft Word 2000 Service Pack 3\tMicrosoft Word 2002 Service Pack 3\tMicrosoft Word 2003 Service Pack 2\tMicrosoft Word Viewer 2003\r\n\r\nMS07-014\r\n\t\r\n\r\nReplaced\r\n\t\r\n\r\nReplaced\r\n\t\r\n\r\nReplaced\r\n\t\r\n\r\nReplaced\r\n\r\nNote Microsoft Word 2002 replacement also replaces Microsoft Works Suite 2004, 2005, and 2006.\r\n\r\nCan I use the Microsoft Baseline Security Analyzer (MBSA) to determine whether this update is required? \r\nThe following table provides the MBSA detection summary for this security update.\r\nSoftware\tMBSA 1.2.1\tMBSA 2.0.1\r\n\r\nMicrosoft Word 2000 Service Pack 3\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nNo\r\n\r\nMicrosoft Word 2002 Service Pack 3\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Word 2003 Service Pack 2\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Word Viewer 2003\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Office 2004 for Mac\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nNo\r\n\r\nNote MBSA 1.2.1 uses an integrated version of the Office Detection Tool (ODT) which does not support remote scans of this security update. For more information about MBSA, visit the MBSA Web site.\r\n\r\nNote Microsoft Works 2004, 2005 and 2006 updates are the same as the Microsoft Word 2002 update.\r\n\r\nFor more information about MBSA, visit the MBSA Web site. For more information about the programs that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660.\r\n\r\nFor more detailed information, see Microsoft Knowledge Base Article 910723: Summary list of monthly detection and deployment guidance articles.\r\n\r\nCan I use Systems Management Server (SMS) to determine whether this update is required? \r\nThe following table provides the SMS summary for this security update.\r\nSoftware\tSMS 2.0\tSMS 2003\r\n\r\nMicrosoft Word 2000\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nNo\r\n\r\nMicrosoft Word 2002\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Word 2003\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Word Viewer 2003\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Word 2004 for Mac\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nNo\r\n\r\nSMS uses MBSA for detection. Therefore, SMS has the same limitation that is listed earlier in this bulletin related to programs that MBSA does not detect.\r\n\r\nFor SMS 2.0, the SMS SUS Feature Pack, which includes the Security Update Inventory Tool, can be used by SMS to detect security updates. SMS SUIT uses the MBSA 1.2.1 engine for detection. For more information about the Security Update Inventory Tool, visit the following Microsoft Web site. For more information about the limitations of the Security Update Inventory Tool, see Microsoft Knowledge Base Article 306460. The SMS SUS Feature Pack also includes the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.\r\n\r\nFor SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 Inventory Tool for Microsoft Updates, visit the following Microsoft Web site. SMS 2003 can also use the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.\r\n\r\nNote If you have used an Administrative Installation Point (AIP) for deploying Office 2000, Office XP or Office 2003, you may not be able to deploy the update using SMS if you have updated the AIP from the original baseline.\r\n\u2022\t\r\n\r\nFor more information about how to change the source for a client computer from an updated administrative installation point to an Office 2000 original baseline source or Service Pack 3 (SP3), see Microsoft Knowledge Base Article 932889.\r\n\u2022\t\r\n\r\nFor more information on how to change the source for a client computer from an updated administrative installation point to an Office XP original baseline source or Service Pack 3 (SP3), see Microsoft Knowledge Base Article 922665.\r\n\u2022\t\r\n\r\nFor more information about how to change the source for a client computer from an updated administrative installation point to an Office 2003 original baseline source or Service Pack 2 (SP2), see Microsoft Knowledge Base Article 902349.\r\n\r\nFor more information about SMS, visit the SMS Web site.\r\n\r\nFor more detailed information, see Microsoft Knowledge Base Article 910723: Summary list of monthly detection and deployment guidance articles.\r\nTop of sectionTop of section\r\n\t\r\nVulnerability Details\r\n\t\r\nWord Array Overflow Vulnerability - CVE-2007-0035:\r\n\r\nA remote code execution vulnerability exists in the way Microsoft Word handles data within an array. A specially crafted file might be included as an e-mail attachment or hosted on a malicious Web site. An attacker could exploit the vulnerability by constructing a specially crafted Word file that could allow remote code execution.\r\n\t\r\nMitigating factors for Word Array Overflow Vulnerability - CVE-2007-0035:\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker would have to host a Web site that contains a Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.\r\n\u2022\t\r\n\r\nThe vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.\r\n\u2022\t\r\n\r\nUsers who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document. The features of the Office Document Open Confirmation Tool are incorporated in Office XP and Office 2003.\r\n\u2022\t\r\n\r\nMicrosoft Office Word 2007 is not affected by this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Word Array Overflow Vulnerability - CVE-2007-0035:\r\n\r\nDo not open or save Microsoft Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Word Array Overflow Vulnerability - CVE-2007-0035:\r\n\r\nWhat is the scope of the vulnerability? \r\nA remote code execution vulnerability exists in the way Microsoft Word handles data within an array. An attacker could exploit the vulnerability by constructing a specially crafted Word file that could allow remote code execution.\r\n\r\nIf the user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability? \r\nWord does not perform sufficient validation when handling data within an array.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could cause arbitrary code to run with the privileges of the user who opened the file.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nThis vulnerability requires that a user open a specially crafted Word file of an affected version of Microsoft Word.\r\n\r\nIn an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted file to the user and by convincing the user to open the file.\r\n\r\nIn a Web-based attack scenario, an attacker would have to host a Web site that contains a Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers that have Microsoft Word installed are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update removes the vulnerability by modifying the way that Microsoft Word handles data within certain arrays.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued. This security bulletin addresses the privately disclosed vulnerability as well as additional issues discovered through internal investigations.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nWord Document Stream Vulnerability - CVE-2007-0870:\r\n\r\nA remote code execution vulnerability exists in the way Microsoft Word handles a specially crafted Word Document stream. An attacker could exploit the vulnerability by constructing a specially crafted Word file that could allow remote code execution.\r\n\t\r\nMitigating Factors for Word Document Stream Vulnerability - CVE-2007-0870:\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker would have to host a Web site that contains a Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.\r\n\u2022\t\r\n\r\nThe vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.\r\n\u2022\t\r\n\r\nUsers who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document. The features of the Office Document Open Confirmation Tool are incorporated in Office XP and Office 2003.\r\n\u2022\t\r\n\r\nMicrosoft Office Word 2007 is not affected by this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Word Document Stream Vulnerability - CVE-2007-0870:\r\n\r\nDo not open or save Microsoft Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Word Document Stream Vulnerability - CVE-2007-0870:\r\n\r\nWhat is the scope of the vulnerability? \r\nA remote code execution vulnerability exists in the way Microsoft Word handles a specially crafted Word Document stream. Such a specially crafted file might be included as an e-mail attachment or hosted on a malicious Web site. Viewing or previewing a malformed e-mail message in an affected version of Outlook could not lead to exploitation of this vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Word file that could allow remote code execution.\r\n\r\nIf the user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability? \r\nWord does not perform sufficient validation when handling objects with a Word Document stream. This may corrupt memory in such a way that an attacker could execute arbitrary code.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could cause arbitrary code to run with the privileges of the user who opened the file.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nIn an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted file to the user and by convincing the user to open the file.\r\n\r\nIn a Web-based attack scenario, an attacker would have to host a Web site that contains a Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers that have Microsoft Word installed are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update removes the vulnerability by modifying the way that Microsoft Word handles certain objects within Word Document Streams.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nYes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2007-0870.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nYes. When this security bulletin was released, Microsoft had received information that this vulnerability was being exploited.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nWord RTF Parsing Vulnerability - CVE-2007-1202:\r\n\r\nA remote code execution vulnerability exists in the way Microsoft Word parses certain rich text properties within a file. Such a specially crafted file might be included as an e-mail attachment or hosted on a malicious Web site. An attacker could exploit the vulnerability by constructing a specially crafted Word file that could allow remote code execution.\r\n\t\r\nMitigating Factors for Word RTF Parsing Vulnerability - CVE-2007-1202:\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker would have to host a Web site that contains a Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.\r\n\u2022\t\r\n\r\nThe vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.\r\n\u2022\t\r\n\r\nUsers who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document. The features of the Office Document Open Confirmation Tool are incorporated in Office XP and Office 2003.\r\n\u2022\t\r\n\r\nMicrosoft Office Word 2007 is not affected by this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Word RTF Parsing Vulnerability - CVE-2007-1202:\r\n\r\nDo not open or save Microsoft Office Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Word RTF Parsing Vulnerability - CVE-2007-1202:\r\n\r\nWhat is the scope of the vulnerability? \r\nA remote code execution vulnerability exists in the way Microsoft Word parses certain rich text properties within a file. Such a specially crafted file might be included as an e-mail attachment or hosted on a malicious Web site. Viewing or previewing a malformed e-mail message in an affected version of Outlook could not lead to exploitation of this vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Word file that could allow remote code execution.\r\n\r\nIf the user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability? \r\nWord does not perform sufficient data validation when handling rich text within the contents of a file. When Word opens and parses specially crafted file, it may corrupt memory in such a way that an attacker could execute arbitrary code.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could cause arbitrary code to run with the privileges of the user who opened the file.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nIn an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted file to the user and by convincing the user to open the file.\r\n\r\nIn a Web-based attack scenario, an attacker would have to host a Web site that contains a Word file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers that have Microsoft Word installed are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update removes the vulnerability by modifying the way that Word handles certain properties of rich text within a file.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued. This security bulletin addresses the privately disclosed vulnerability as well as additional issues discovered through internal investigations.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nCraig Schmugar of McAfee Avert Labs for working with us on the Word Document Stream Vulnerability (CVE-2007-0870)\r\n\u2022\t\r\n\r\nAndreas Marx of AV-Test for working with us on the Word Document Stream Vulnerability (CVE-2007-0870)\r\n\u2022\t\r\n\r\niDefense Labs VCP for reporting the Word RTF Parsing Vulnerability (CVE-2007-1202)\r\n\r\n\r\nDisclaimer:\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions: \r\n\u2022\t\r\n\r\nV1.0 (May 8, 2007): Bulletin published.", "edition": 1, "modified": "2007-05-08T00:00:00", "published": "2007-05-08T00:00:00", "id": "SECURITYVULNS:DOC:16959", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16959", "title": "Microsoft Security Bulletin MS07-024 Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232)", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:25", "bulletinFamily": "software", "cvelist": ["CVE-2007-0035", "CVE-2007-0870", "CVE-2007-1202"], "description": "Array overflows, memory corruptions on streams parsing and RTF parsing.", "edition": 1, "modified": "2007-05-10T00:00:00", "published": "2007-05-10T00:00:00", "id": "SECURITYVULNS:VULN:7678", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7678", "title": "Microsoft Word multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:23", "bulletinFamily": "software", "cvelist": ["CVE-2007-0515", "CVE-2007-0209", "CVE-2007-0208", "CVE-2007-0870", "CVE-2006-5994", "CVE-2006-3877", "CVE-2007-0671", "CVE-2006-6561", "CVE-2007-0913", "CVE-2006-6456"], "description": "Multiple vulnerabilities with different object types handling.", "edition": 1, "modified": "2007-02-14T00:00:00", "published": "2007-02-14T00:00:00", "id": "SECURITYVULNS:VULN:7232", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7232", "title": "Multiple Microsoft Office vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-03-01T06:18:17", "description": "The remote host is running a version of Microsoft Word that could allow\narbitrary code to be run.\n\nAn attacker could use this to execute arbitrary code on this host.\n\nTo succeed, the attacker would have to send a rogue file to a user of\nthe remote computer and have it open it. Then a bug in the font parsing\nhandler would result in code execution.", "edition": 28, "published": "2007-05-08T00:00:00", "title": "MS07-024: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-0035", "CVE-2007-0870", "CVE-2007-1202"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:microsoft:works", "cpe:/a:microsoft:office"], "id": "SMB_NT_MS07-024.NASL", "href": "https://www.tenable.com/plugins/nessus/25163", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25163);\n script_version(\"1.39\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2007-0035\", \"CVE-2007-0870\", \"CVE-2007-1202\");\n script_bugtraq_id(22567, 23804, 23836);\n \n script_xref(name:\"MSFT\", value:\"MS07-024\");\n script_xref(name:\"MSKB\", value:\"934181\");\n script_xref(name:\"MSKB\", value:\"934392\");\n script_xref(name:\"MSKB\", value:\"934394\");\n script_xref(name:\"CERT\", value:\"260777\");\n script_xref(name:\"CERT\", value:\"332404\");\n script_xref(name:\"CERT\", value:\"555489\");\n\n script_name(english:\"MS07-024: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232)\");\n script_summary(english:\"Determines the version of WinWord.exe\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through Microsoft\nWord.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Microsoft Word that could allow\narbitrary code to be run.\n\nAn attacker could use this to execute arbitrary code on this host.\n\nTo succeed, the attacker would have to send a rogue file to a user of\nthe remote computer and have it open it. Then a bug in the font parsing\nhandler would result in code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-024\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for Word 2000, XP and 2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/05/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/05/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:works\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_nt_ms02-031.nasl\", \"office_installed.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS07-024';\nkbs = make_list(\"934181\", \"934392\", \"934394\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nport = get_kb_item(\"SMB/transport\");\n\n#\n# Word\n#\nvuln = 0;\nlist = get_kb_list_or_exit(\"SMB/Office/Word/*/ProductPath\");\nforeach item (keys(list))\n{\n v = item - 'SMB/Office/Word/' - '/ProductPath';\n if(ereg(pattern:\"^9\\..*\", string:v))\n {\n # Word 2000 - fixed in 9.0.0.8961\n office_sp = get_kb_item(\"SMB/Office/2000/SP\");\n if (!isnull(office_sp) && office_sp == 3)\n {\n sub = ereg_replace(pattern:\"^9\\.00?\\.00?\\.([0-9]*)$\", string:v, replace:\"\\1\");\n if(sub != v && int(sub) < 8961 ) {\n vuln++;\n info =\n '\\n Product : Excel 2000' +\n '\\n Installed version : ' + v +\n '\\n Fixed version : 9.0.0.8961\\n';\n hotfix_add_report(info, bulletin:bulletin, kb:'934392');\n }\n }\n }\n else if(ereg(pattern:\"^10\\..*\", string:v))\n {\n # Word XP - fixed in 10.0.6829.0\n office_sp = get_kb_item(\"SMB/Office/XP/SP\");\n if (!isnull(office_sp) && office_sp == 3)\n {\n middle = ereg_replace(pattern:\"^10\\.0\\.([0-9]*)\\.[0-9]*$\", string:v, replace:\"\\1\");\n if(middle != v && int(middle) < 6829) {\n vuln++;\n info =\n '\\n Product : Excel 2002' +\n '\\n Installed version : ' + v +\n '\\n Fixed version : 10.0.6829.0\\n';\n hotfix_add_report(info, bulletin:bulletin, kb:'934394');\n }\n }\n }\n else if(ereg(pattern:\"^11\\..*\", string:v))\n {\n # Word 2003 - fixed in 11.0.8134.0\n office_sp = get_kb_item(\"SMB/Office/2003/SP\");\n if (!isnull(office_sp) && office_sp == 2)\n {\n middle = ereg_replace(pattern:\"^11\\.0\\.([0-9]*)\\.[0-9]*$\", string:v, replace:\"\\1\");\n if(middle != v && int(middle) < 8134) {\n vuln++;\n info =\n '\\n Product : Excel 2003' +\n '\\n Installed version : ' + v +\n '\\n Fixed version : 11.0.8134.0\\n';\n hotfix_add_report(info, bulletin:bulletin, kb:'934181');\n }\n }\n }\n}\nif (vuln)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, 'affected');\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-28T20:40:35", "description": "The remote host is running a version of Microsoft Office that is\naffected by various flaws that may allow arbitrary code to be run.\n\nTo succeed, the attacker would have to send a rogue file to a user of\nthe remote computer and have him open it with Microsoft Word, Excel or\nanother Office application.", "edition": 11, "published": "2007-05-09T00:00:00", "title": "MS07-023 / MS07-024 / MS07-025: Vulnerabilities in Microsoft Office Allow Remote Code Execution (934233 / 934232 / 934873) (Mac OS X)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-0035", "CVE-2007-0215", "CVE-2007-0870", "CVE-2007-1203", "CVE-2007-1202", "CVE-2007-1214", "CVE-2007-1747"], "modified": "2007-05-09T00:00:00", "cpe": ["cpe:/a:microsoft:office:2004::mac"], "id": "MACOSX_MS_OFFICE_MAY2007.NASL", "href": "https://www.tenable.com/plugins/nessus/25173", "sourceData": "#TRUSTED 9b0160e692fa250dc2bb84b8fd390070eb263724fdcdf341f766a19ec3ae564ad7a1a85d179dddbebe8c92e41b9d6b89949fbeeb983fb1ca768ae2a5dcc05833c870cccc4059878fbd17df63875edcde323861a83ccb753fd94f799a7c110d5fa1ea4e2bb209cf37874b107149375d23e3a38f5ddaaf53b8a36e7d0c213f26f55ce2651f03f4eae5ae1a798155c6206bc5d9798b46a4a296ee67cb4672287cf56042903c159c18f313cb9d017bf6237f5a56bff6e5a7a899be25c8fdea2c53debaacc02cb13d0d313d0d768e7ac0b0d74d999736fba0b93915cb4c611183458d5928da30a219a8720283f9786dabd7a6143e28ebe0d9265167545970fc40610289e6dfec4f3bca0ee0da8160bf1209aa071e2aa76c23d453ac2a76ddc773ecc38d118acb303e39ed74360f87b178a843107d06ea8b6d2c11056f3c1eca313116d7f2c7381b6fb4d6e8f1bbe18fd962ae3de206ef5af89c3fb89be3fcf07179c77680286c476d6c2a293a3994178e3756708189c79f25db27643facd9d781c602d848918fe0de0b91779d6ef15275fcd2b30890f0445df13e0ad7129d0d283d009e09121cd14efefcdbe4f5160dfb1b4e8dec3d395e078c09d7903d9f27ddad5a7d98471bbfed9881f405754133d475ce9cde63c1d41bf933ab44e5ad8059e8207e07dda2cf3e3f83edf3726052aa2803b0e16097687d1a2bab54fbdc966c6477\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25173);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2018/07/14\");\n\n script_cve_id(\n \"CVE-2007-0035\",\n \"CVE-2007-0215\",\n # \"CVE-2007-0870\", Microsoft Office 2004 for Mac not impacted\n \"CVE-2007-1202\",\n \"CVE-2007-1203\",\n \"CVE-2007-1214\",\n \"CVE-2007-1747\"\n );\n script_bugtraq_id(23760, 23779, 23780, 23804, 23826, 23836);\n script_xref(name:\"MSFT\", value:\"MS07-023\");\n script_xref(name:\"MSFT\", value:\"MS07-024\");\n script_xref(name:\"MSFT\", value:\"MS07-025\");\n script_xref(name:\"MSKB\", value:\"934232\");\n script_xref(name:\"MSKB\", value:\"934233\");\n script_xref(name:\"MSKB\", value:\"934873\");\n\n script_name(english:\"MS07-023 / MS07-024 / MS07-025: Vulnerabilities in Microsoft Office Allow Remote Code Execution (934233 / 934232 / 934873) (Mac OS X)\");\n script_summary(english:\"Check for Office 2004 and X\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"An application installed on the remote Mac OS X host is affected by\nmultiple remote code execution vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is running a version of Microsoft Office that is\naffected by various flaws that may allow arbitrary code to be run.\n\nTo succeed, the attacker would have to send a rogue file to a user of\nthe remote computer and have him open it with Microsoft Word, Excel or\nanother Office application.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms07-023\");\n\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms07-024\");\n\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms07-025\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for Office for Mac OS X.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(399);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/05/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office:2004::mac\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/MacOSX/packages\");\n exit(0);\n}\n\n\ninclude(\"misc_func.inc\");\ninclude(\"ssh_func.inc\");\ninclude(\"macosx_func.inc\");\n\n\n\nif(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)\n enable_ssh_wrappers();\nelse disable_ssh_wrappers();\n\nuname = get_kb_item(\"Host/uname\");\nif ( egrep(pattern:\"Darwin.*\", string:uname) )\n{\n off2004 = GetCarbonVersionCmd(file:\"Microsoft Component Plugin\", path:\"/Applications/Microsoft Office 2004/Office\");\n\n if ( ! islocalhost() )\n {\n ret = ssh_open_connection();\n if ( ! ret ) exit(0);\n buf = ssh_cmd(cmd:off2004);\n ssh_close_connection();\n }\n else\n buf = pread(cmd:\"/bin/bash\", argv:make_list(\"bash\", \"-c\", off2004));\n\n\n if ( buf =~ \"^11\\.\" )\n\t{\n\t vers = split(buf, sep:'.', keep:FALSE);\n\t if ( (int(vers[0]) == 11 && int(vers[1]) < 3) ||\n (int(vers[0]) == 11 && int(vers[1]) == 3 && int(vers[2]) < 5 ) ) security_hole(0);\n\t}\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
