Search...

Microsoft Offcie multiple security vulnerabilities

2007-05-08T00:00:00

ID SECURITYVULNS:VULN:7679
Type securityvulns
Reporter MICROSOFT
Modified 2007-05-08T00:00:00

Description

Memory corruption on drawing objects parsing.

JSON Vulners Source

Initial Source

{"id": "SECURITYVULNS:VULN:7679", "bulletinFamily": "software", "title": "Microsoft Offcie multiple security vulnerabilities", "description": "Memory corruption on drawing objects parsing.", "published": "2007-05-08T00:00:00", "modified": "2007-05-08T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7679", "reporter": "MICROSOFT", "references": ["https://vulners.com/securityvulns/securityvulns:doc:16960"], "cvelist": ["CVE-2007-1747"], "type": "securityvulns", "lastseen": "2018-08-31T11:09:25", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "a4515aa57446b8cc5ae24795905aac87"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "7896e51daa0fa4aaa21b44341fcc6097"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "description", "hash": "2556243a9a1f8971396958f6ed570ff1"}, {"key": "href", "hash": "a6a6868e5c0e07c5b3c048ab58ab9f75"}, {"key": "modified", "hash": "017153e4fbd6bd2e54ff469e42a85c1c"}, {"key": "published", "hash": "017153e4fbd6bd2e54ff469e42a85c1c"}, {"key": "references", "hash": "2bb54de5285ae707ec456f190d6c2438"}, {"key": "reporter", "hash": "6ef686b32faf3c870b16770ecf4de086"}, {"key": "title", "hash": "bdd6d9a30b50ba9ab1e5f7119f323c1c"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "d2490b2461d81e80105ac6e24dad5a1af842ad2228d03c519b68d5e84b1c6b74", "viewCount": 0, "enchantments": {"score": {"value": 7.2, "vector": "NONE", "modified": "2018-08-31T11:09:25"}, "vulnersScore": 7.2}, "objectVersion": "1.3", "affectedSoftware": [{"name": "Office", "operator": "eq", "version": "2007"}, {"name": "Office", "operator": "eq", "version": "2000"}, {"name": "Office", "operator": "eq", "version": "2003"}]}

{"cve": [{"lastseen": "2017-10-11T11:07:04", "references": ["http://www.securityfocus.com/archive/1/archive/1/468871/100/200/threaded", "http://www.vupen.com/english/advisories/2007/1710", "http://www.kb.cert.org/vuls/id/853184", "http://www.microsoft.com/technet/security/bulletin/ms07-025.mspx", "http://www.us-cert.gov/cas/techalerts/TA07-128A.html", "https://exchange.xforce.ibmcloud.com/vulnerabilities/33908", "http://www.securitytracker.com/id?1018014", "http://www.securityfocus.com/bid/23826"], "description": "Unspecified vulnerability in MSO.dll in Microsoft Office 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and 2007 allows user-assisted remote attackers to execute arbitrary code via a malformed drawing object, which triggers memory corruption.", "edition": 3, "reporter": "NVD", "published": "2007-05-08T19:19:00", "title": "CVE-2007-1747", "type": "cve", "enchantments": {"score": {"modified": "2017-10-11T11:07:04", "vector": "NONE", "value": 9.3}}, "assessment": {"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:2051", "href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2051"}, "bulletinFamily": "NVD", "cvelist": ["CVE-2007-1747"], "scanner": [{"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:2051", "href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:2051"}], "modified": "2017-10-10T21:31:58", "cpe": ["cpe:/a:microsoft:office:2000:sp3", "cpe:/a:microsoft:office:2007", "cpe:/a:microsoft:office:xp:sp3", "cpe:/a:microsoft:office:2004::mac", "cpe:/a:microsoft:office:2003:sp2"], "id": "CVE-2007-1747", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1747", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2018-08-31T02:37:11", "references": ["http://www.microsoft.com/downloads/details.aspx?familyid=8B5762D2-077F-4031-9EE6-C9538E9F2A2F&displaylang=en", "http://www.us-cert.gov/cas/tips/ST04-010.html", "http://www.microsoft.com/technet/security/bulletin/ms07-025.mspx", "http://www.microsoft.com/technet/security/bulletin/ms07-025.mspx", "http://www.microsoft.com/technet/security/bulletin/ms07-025.mspx", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1747", "http://www.us-cert.gov/reading_room/securing_browser/#ffdownloadactions"], "description": "### Overview\n\nMicrosoft Office fails to properly handle malformed drawing objects. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code.\n\n### Description\n\nMicrosoft Office fails to properly handle malformed drawing objects embedded within Office documents. By convincing a user to open a specially crafted Office document, an attacker may be able to corrupt memory in a way that could allow them to execute arbitrary code. \n\nMore information on this vulnerability is available in Microsoft Security Bulletin [MS07-025](<http://www.microsoft.com/technet/security/bulletin/ms07-025.mspx>). \n \n--- \n \n### Impact\n\nremote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user running the Office application. If the user is logged in with administrative privileges, the attacker could take complete control of a vulnerable system \n \n--- \n \n### Solution\n\n**Apply an update** \n \nThis vulnerability is addressed by the updates included with Microsoft Security Bulletin [MS07-025](<http://www.microsoft.com/technet/security/bulletin/ms07-025.mspx>). \n \n--- \n \n**Do not open untrusted Office documents** \n \nDo not open unfamiliar or unexpected Office documents, particularly those hosted on web sites or delivered as email attachments. Please see Cyber Security Tip [ST04-010](<http://www.us-cert.gov/cas/tips/ST04-010.html>).** \n \nDo not rely on file name extension filtering** \n \nIn most cases, Windows will call the appropriate Office application to open a document even if the document has an unknown file extension. For example, if `document.qwer` contains the correct file header information for Word, Windows will open `document.qwer` with Word. Filtering for common extensions (e.g., .doc, and .dot) will not detect all Office documents. \n\n** \nDisable automatic opening of Microsoft Office documents** \n \nBy default, Microsoft Office 97 and Microsoft Office 2000 will configure Internet Explorer to automatically open Microsoft Office documents. This feature can be disabled by using the [Office Document Open Confirmation Tool](<http://www.microsoft.com/downloads/details.aspx?familyid=8B5762D2-077F-4031-9EE6-C9538E9F2A2F&displaylang=en>). Mozilla Firefox users should disable automatic opening of files, as specified in the [Securing Your Web Browser](<http://www.us-cert.gov/reading_room/securing_browser/#ffdownloadactions>) document. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nMicrosoft Corporation| | -| 08 May 2007 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23853184 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.microsoft.com/technet/security/bulletin/ms07-025.mspx>\n\n### Credit\n\nThis vulnerability was reported in Microsoft Security Bulletin MS07-025 .\n\nThis document was written by Jeff Gennari.\n\n### Other Information\n\n * CVE IDs: [CVE-2007-1747](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1747>)\n * Date Public: 08 May 2007\n * Date First Published: 08 May 2007\n * Date Last Updated: 08 May 2007\n * Severity Metric: 10.13\n * Document Revision: 12\n\n", "edition": 4, "reporter": "CERT", "published": "2007-05-08T00:00:00", "title": "Microsoft Office drawing object vulnerability", "type": "cert", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "info", "cvelist": ["CVE-2007-1747", "CVE-2007-1747"], "modified": "2007-05-08T00:00:00", "id": "VU:853184", "href": "https://www.kb.cert.org/vuls/id/853184", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:30", "references": [], "description": "## Vulnerability Description\nA context-dependent memory corruption flaw exists in Office. Several Office components fail to validate Office drawing objects resulting in memory corruption. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.\n## Short Description\nA context-dependent memory corruption flaw exists in Office. Several Office components fail to validate Office drawing objects resulting in memory corruption. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nSecurity Tracker: 1018014\n[Secunia Advisory ID:25178](https://secuniaresearch.flexerasoftware.com/advisories/25178/)\nNews Article: http://www.informationweek.com/news/showArticle.jhtml?articleID=199400216\nMicrosoft Security Bulletin: MS07-025\nMicrosoft Knowledge Base Article: 934873\nFrSIRT Advisory: ADV-2007-1710\n[CVE-2007-1747](https://vulners.com/cve/CVE-2007-1747)\nCERT VU: 853184\nBugtraq ID: 23826\n", "edition": 1, "reporter": "OSVDB", "published": "2007-05-08T19:13:35", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "Microsoft Office Crafted Drawing Object Arbitrary Code Execution", "type": "osvdb", "bulletinFamily": "software", "affectedSoftware": [{"name": "Office System", "version": "2007", "operator": "eq"}, {"name": "Office", "version": "XP", "operator": "eq"}, {"name": "Office for Mac", "version": "2004", "operator": "eq"}, {"name": "Office", "version": "2000", "operator": "eq"}, {"name": "Office", "version": "2003", "operator": "eq"}], "cvelist": ["CVE-2007-1747"], "modified": "2007-05-08T19:13:35", "href": "https://vulners.com/osvdb/OSVDB:34396", "id": "OSVDB:34396", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2018-09-01T23:41:45", "references": ["https://technet.microsoft.com/library/security/MS07-025"], "pluginID": "25164", "description": "The remote host is running a version of Microsoft Office that is subject to various flaws that could allow arbitrary code to be run.\n\nAn attacker may use this to execute arbitrary code on this host.\n\nTo succeed, the attacker would have to send a rogue file to a user of the remote computer and have it open it with Microsoft Office.", "edition": 6, "reporter": "Tenable", "published": "2007-05-08T00:00:00", "title": "MS07-025: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (934873)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Windows : Microsoft Bulletins", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-1747"], "modified": "2018-07-27T00:00:00", "cpe": ["cpe:/a:microsoft:sharepoint_designer", "cpe:/a:microsoft:frontpage", "cpe:/a:microsoft:excel_viewer", "cpe:/a:microsoft:office", "cpe:/a:microsoft:publisher", "cpe:/a:microsoft:excel", "cpe:/a:microsoft:office_compatibility_pack"], "id": "SMB_NT_MS07-025.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=25164", "sourceData": "#\n# Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25164);\n script_version(\"1.34\");\n script_cvs_date(\"Date: 2018/07/27 18:38:16\");\n\n script_cve_id(\"CVE-2007-1747\");\n script_bugtraq_id(23826);\n script_xref(name:\"MSFT\", value:\"MS07-025\");\n script_xref(name:\"MSKB\", value:\"934062\");\n script_xref(name:\"MSKB\", value:\"934180\");\n script_xref(name:\"MSKB\", value:\"934526\");\n script_xref(name:\"MSKB\", value:\"934705\");\n \n script_xref(name:\"CERT\", value:\"853184\");\n\n script_name(english:\"MS07-025: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (934873)\");\n script_summary(english:\"Determines the version of MSO.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through Microsoft\nOffice.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Microsoft Office that is\nsubject to various flaws that could allow arbitrary code to be run.\n\nAn attacker may use this to execute arbitrary code on this host.\n\nTo succeed, the attacker would have to send a rogue file to a user of\nthe remote computer and have it open it with Microsoft Office.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://technet.microsoft.com/library/security/MS07-025\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Office 2000, XP, 2003 and\n2007.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(399);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/05/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/05/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/05/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:sharepoint_designer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel_viewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:frontpage\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office_compatibility_pack\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:publisher\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\n\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS07-025';\nkbs = make_list(\"934062\", \"934180\", \"934526\", \"934705\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\noffice_versions = hotfix_check_office_version ();\nif ( !office_versions ) exit(0, \"Microsoft Office not found.\");\n\nrootfiles = hotfix_get_officecommonfilesdir();\nif ( ! rootfiles ) exit(1, \"Failed to get Office Common File directory.\");\n\nlogin\t= kb_smb_login();\npass \t= kb_smb_password();\ndomain \t= kb_smb_domain();\nport = kb_smb_transport();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, \"smb_session_init\");\n\nshare = '';\nlastshare = '';\nvuln = FALSE;\ncheckedfiles = make_array();\nforeach ver (keys(office_versions))\n{\n if (typeof(rootfiles) == 'array') rootfile = rootfiles[ver];\n else rootfile = rootfiles;\n if ( \"9.0\" >< ver )\n\t{\n\t rootfile = hotfix_get_programfilesdir();\n \tdll = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\Microsoft Office\\Office\\mso9.dll\", string:rootfile);\n\t}\n else if ( \"10.0\" >< ver )\n dll = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\Microsoft Shared\\Office10\\mso.dll\", string:rootfile);\n else if ( \"11.0\" >< ver )\n dll = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\Microsoft Shared\\Office11\\mso.dll\", string:rootfile);\n else if ( \"12.0\" >< ver )\n dll = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\Microsoft Shared\\Office12\\mso.dll\", string:rootfile);\n if (checkedfiles[dll]) continue;\n\n share = hotfix_path2share(path:rootfile);\n if (share != lastshare)\n {\n NetUseDel(close:FALSE);\n r = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if ( r != 1 ) audit(AUDIT_SHARE_FAIL,share);\n }\n\n handle = CreateFile (file:dll, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);\n\n if ( ! isnull(handle) )\n {\n checkedfiles[dll] = 1;\n v = GetFileVersion(handle:handle);\n CloseFile(handle:handle);\n if ( !isnull(v) )\n {\n if (v[0] == 9 && v[1] == 0 && v[2] == 0 && v[3] < 8961)\n {\n vuln = TRUE;\n hotfix_add_report('\\nPath : '+share-'$'+':'+dll+\n '\\nVersion : '+join(v, sep:'.')+\n '\\nShould be : 9.0.0.8961\\n',\n bulletin:'MS07-025',\n kb:'934526');\n }\n else if (v[0] == 10 && v[1] == 0 && v[2] < 6830)\n {\n vuln = TRUE;\n hotfix_add_report('\\nPath : '+share-'$'+':'+dll+\n '\\nVersion : '+join(v, sep:'.')+\n '\\nShould be : 10.0.6830.0\\n',\n bulletin:'MS07-025',\n kb:'934705');\n }\n else if (v[0] == 11 && v[1] == 0 && v[2] < 8132)\n {\n vuln = TRUE;\n hotfix_add_report('\\nPath : '+share-'$'+':'+dll+\n '\\nVersion : '+join(v, sep:'.')+\n '\\nShould be : 11.0.8132.0\\n',\n bulletin:'MS07-025',\n kb:'934180');\n }\n else if (v[0] == 12 && v[1] == 0 && (v[2] < 6017 || ( v[2] == 6017 && v[3] < 5000)))\n {\n vuln = TRUE;\n hotfix_add_report('\\nPath : '+share-'$'+':'+dll+\n '\\nVersion : '+join(v, sep:'.')+\n '\\nShould be : 12.0.6017.5000\\n',\n bulletin:'MS07-025',\n kb:'934062');\n }\n }\n }\n}\nNetUseDel();\nif (vuln)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, 'affected');\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:52:53", "references": ["https://technet.microsoft.com/library/security/MS08-016"], "pluginID": "31415", "description": "The remote host is running a version of Microsoft Office that is subject to various flaws that could allow arbitrary code to be run.\n\nAn attacker may use this to execute arbitrary code on this host.\n\nTo succeed, the attacker would have to send a rogue file to a user of the remote computer and have it open it with Microsoft Office.", "edition": 13, "reporter": "Tenable", "published": "2008-03-11T00:00:00", "title": "MS08-016: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (949030)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "naslFamily": "Windows : Microsoft Bulletins", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0113", "CVE-2008-0118", "CVE-2007-1747"], "modified": "2018-07-30T00:00:00", "cpe": ["cpe:/a:microsoft:word_viewer", "cpe:/a:microsoft:excel_viewer", "cpe:/a:microsoft:office"], "id": "SMB_NT_MS08-016.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=31415", "sourceData": "#\n# Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(31415);\n script_version(\"1.46\");\n script_cvs_date(\"Date: 2018/07/30 11:55:12\");\n script_cve_id(\"CVE-2007-1747\", \"CVE-2008-0113\", \"CVE-2008-0118\");\n script_bugtraq_id(23826, 28146);\n script_xref(name:\"CERT\", value:\"853184\");\n script_xref(name:\"MSFT\", value:\"MS08-016\");\n script_xref(name:\"MSKB\", value:\"947355\");\n script_xref(name:\"MSKB\", value:\"947361\");\n script_xref(name:\"MSKB\", value:\"947866\");\n\n script_name(english:\"MS08-016: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (949030)\");\n script_summary(english:\"Determines the version of MSO.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through Microsoft\nOffice.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Microsoft Office that is\nsubject to various flaws that could allow arbitrary code to be run.\n\nAn attacker may use this to execute arbitrary code on this host.\n\nTo succeed, the attacker would have to send a rogue file to a user of\nthe remote computer and have it open it with Microsoft Office.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://technet.microsoft.com/library/security/MS08-016\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for Office 2000, XP and 2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_cwe_id(94, 399);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/05/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/03/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/03/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word_viewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel_viewer\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\n\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS08-016';\nkbs = make_list(\"947355\", \"947361\", \"947866\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\noffice_versions = hotfix_check_office_version ();\nif ( !office_versions ) exit(0, \"Microsoft Office not found.\");\n\nrootfiles = hotfix_get_officecommonfilesdir();\nif ( ! rootfiles ) exit(1, \"Failed to get Office Common Files directory.\");\n\nlogin\t= kb_smb_login();\npass \t= kb_smb_password();\ndomain \t= kb_smb_domain();\nport = kb_smb_transport();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, \"smb_session_init\");\n\nshare = '';\nlastshare = '';\nvuln = FALSE;\n\nforeach ver (keys(office_versions))\n{\n info = NULL;\n if (typeof(rootfiles) == 'array') rootfiles = rootfiles[ver];\n else rootfile = rootfiles;\n if ( \"9.0\" >< ver )\n {\n rootfile = hotfix_get_officeprogramfilesdir(officever:'9.0');\n dll = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\Microsoft Office\\Office\\mso9.dll\", string:rootfile);\n path = rootfile + \"\\Microsoft Office\\Office\\\";\n }\n else if ( \"10.0\" >< ver )\n {\n dll = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\Microsoft Shared\\Office10\\mso.dll\", string:rootfile);\n path = rootfile + \"\\Microsoft Shared\\Office10\\\";\n }\n else if ( \"11.0\" >< ver )\n {\n dll = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\Microsoft Shared\\Office11\\mso.dll\", string:rootfile);\n path = rootfile + \"\\Microsoft Shared\\Office11\\\";\n }\n\n share = hotfix_path2share(path:rootfile);\n if (share != lastshare)\n {\n NetUseDel(close:FALSE);\n r = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if ( r != 1 ) audit(AUDIT_SHARE_FAIL, share);\n }\n\n handle = CreateFile (file:dll, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);\n\n if ( ! isnull(handle) )\n {\n v = GetFileVersion(handle:handle);\n CloseFile(handle:handle);\n if ( !isnull(v) )\n {\n version = join(v, sep:'.');\n if (v[0] == 9 && v[1] == 0 && v[2] == 0 && v[3] < 8968)\n {\n vuln = TRUE;\n info =\n 'Product : Microsoft Office 2000\\n' +\n 'Path : ' + path + '\\n' +\n 'Installed version : ' + version + '\\n' +\n 'Fix : 9.0.0.8968';\n kb = '947361';\n }\n else if (v[0] == 10 && v[1] == 0 && v[2] < 6839)\n {\n vuln = TRUE;\n info =\n 'Product : Microsoft Office 2002\\n' +\n 'Path : ' + path + '\\n' +\n 'Installed version : ' + version + '\\n' +\n 'Fix : 10.0.6839.0';\n kb = '947866';\n }\n else if (v[0] == 11 && v[1] == 0 && v[2] < 8172)\n {\n vuln = TRUE;\n info =\n 'Product : Microsoft Office 2003\\n' +\n 'Path : ' + path + '\\n' +\n 'Installed version : ' + version + '\\n' +\n 'Fix : 11.0.8172.0';\n kb = '947355';\n }\n }\n if (info)\n {\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n }\n }\n}\nNetUseDel();\nif (vuln)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, 'affected');\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:46:37", "references": ["http://technet.microsoft.com/en-us/security/bulletin/ms07-025", "http://technet.microsoft.com/en-us/security/bulletin/ms07-024", "http://technet.microsoft.com/en-us/security/bulletin/ms07-023"], "pluginID": "25173", "description": "The remote host is running a version of Microsoft Office that is affected by various flaws that may allow arbitrary code to be run.\n\nTo succeed, the attacker would have to send a rogue file to a user of the remote computer and have him open it with Microsoft Word, Excel or another Office application.", "edition": 8, "reporter": "Tenable", "published": "2007-05-09T00:00:00", "title": "MS07-023 / MS07-024 / MS07-025: Vulnerabilities in Microsoft Office Allow Remote Code Execution (934233 / 934232 / 934873) (Mac OS X)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "MacOS X Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-0035", "CVE-2007-0215", "CVE-2007-1203", "CVE-2007-1202", "CVE-2007-1214", "CVE-2007-1747"], "modified": "2018-07-14T00:00:00", "cpe": ["cpe:/a:microsoft:office:2004::mac"], "id": "MACOSX_MS_OFFICE_MAY2007.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=25173", "sourceData": "#TRUSTED 9b0160e692fa250dc2bb84b8fd390070eb263724fdcdf341f766a19ec3ae564ad7a1a85d179dddbebe8c92e41b9d6b89949fbeeb983fb1ca768ae2a5dcc05833c870cccc4059878fbd17df63875edcde323861a83ccb753fd94f799a7c110d5fa1ea4e2bb209cf37874b107149375d23e3a38f5ddaaf53b8a36e7d0c213f26f55ce2651f03f4eae5ae1a798155c6206bc5d9798b46a4a296ee67cb4672287cf56042903c159c18f313cb9d017bf6237f5a56bff6e5a7a899be25c8fdea2c53debaacc02cb13d0d313d0d768e7ac0b0d74d999736fba0b93915cb4c611183458d5928da30a219a8720283f9786dabd7a6143e28ebe0d9265167545970fc40610289e6dfec4f3bca0ee0da8160bf1209aa071e2aa76c23d453ac2a76ddc773ecc38d118acb303e39ed74360f87b178a843107d06ea8b6d2c11056f3c1eca313116d7f2c7381b6fb4d6e8f1bbe18fd962ae3de206ef5af89c3fb89be3fcf07179c77680286c476d6c2a293a3994178e3756708189c79f25db27643facd9d781c602d848918fe0de0b91779d6ef15275fcd2b30890f0445df13e0ad7129d0d283d009e09121cd14efefcdbe4f5160dfb1b4e8dec3d395e078c09d7903d9f27ddad5a7d98471bbfed9881f405754133d475ce9cde63c1d41bf933ab44e5ad8059e8207e07dda2cf3e3f83edf3726052aa2803b0e16097687d1a2bab54fbdc966c6477\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25173);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2018/07/14\");\n\n script_cve_id(\n \"CVE-2007-0035\",\n \"CVE-2007-0215\",\n # \"CVE-2007-0870\", Microsoft Office 2004 for Mac not impacted\n \"CVE-2007-1202\",\n \"CVE-2007-1203\",\n \"CVE-2007-1214\",\n \"CVE-2007-1747\"\n );\n script_bugtraq_id(23760, 23779, 23780, 23804, 23826, 23836);\n script_xref(name:\"MSFT\", value:\"MS07-023\");\n script_xref(name:\"MSFT\", value:\"MS07-024\");\n script_xref(name:\"MSFT\", value:\"MS07-025\");\n script_xref(name:\"MSKB\", value:\"934232\");\n script_xref(name:\"MSKB\", value:\"934233\");\n script_xref(name:\"MSKB\", value:\"934873\");\n\n script_name(english:\"MS07-023 / MS07-024 / MS07-025: Vulnerabilities in Microsoft Office Allow Remote Code Execution (934233 / 934232 / 934873) (Mac OS X)\");\n script_summary(english:\"Check for Office 2004 and X\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"An application installed on the remote Mac OS X host is affected by\nmultiple remote code execution vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is running a version of Microsoft Office that is\naffected by various flaws that may allow arbitrary code to be run.\n\nTo succeed, the attacker would have to send a rogue file to a user of\nthe remote computer and have him open it with Microsoft Word, Excel or\nanother Office application.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms07-023\");\n\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms07-024\");\n\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms07-025\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for Office for Mac OS X.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(399);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/05/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/05/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office:2004::mac\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/MacOSX/packages\");\n exit(0);\n}\n\n\ninclude(\"misc_func.inc\");\ninclude(\"ssh_func.inc\");\ninclude(\"macosx_func.inc\");\n\n\n\nif(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)\n enable_ssh_wrappers();\nelse disable_ssh_wrappers();\n\nuname = get_kb_item(\"Host/uname\");\nif ( egrep(pattern:\"Darwin.*\", string:uname) )\n{\n off2004 = GetCarbonVersionCmd(file:\"Microsoft Component Plugin\", path:\"/Applications/Microsoft Office 2004/Office\");\n\n if ( ! islocalhost() )\n {\n ret = ssh_open_connection();\n if ( ! ret ) exit(0);\n buf = ssh_cmd(cmd:off2004);\n ssh_close_connection();\n }\n else\n buf = pread(cmd:\"/bin/bash\", argv:make_list(\"bash\", \"-c\", off2004));\n\n\n if ( buf =~ \"^11\\.\" )\n\t{\n\t vers = split(buf, sep:'.', keep:FALSE);\n\t if ( (int(vers[0]) == 11 && int(vers[1]) < 3) ||\n (int(vers[0]) == 11 && int(vers[1]) == 3 && int(vers[2]) < 5 ) ) security_hole(0);\n\t}\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:22", "references": [], "description": "Microsoft Security Bulletin MS07-025\r\nVulnerability in Microsoft Office Could Allow Remote Code Execution (934873)\r\nPublished: May 8, 2007\r\n\r\nVersion: 1.0\r\nSummary\r\n\r\nWho Should Read this Document: Customers who use Microsoft Office\r\n\r\nImpact of Vulnerability: Remote Code Execution\r\n\r\nMaximum Severity Rating: Critical\r\n\r\nRecommendation: Customers should apply the update immediately\r\n\r\nSecurity Update Replacement: This bulletin replaces a prior security update. See the Frequently Asked Questions (FAQ) section of this bulletin for details.\r\n\r\nCaveats: None\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software:\r\n\u2022\t\r\n\r\nMicrosoft Office 2000 Service Pack 3 \u2014 Download the update (KB934526)\r\n\u2022\t\r\n\r\nMicrosoft Excel 2000\r\n\u2022\t\r\n\r\nMicrosoft FrontPage 2000\r\n\u2022\t\r\n\r\nMicrosoft Publisher 2000\r\n\u2022\t\r\n\r\nMicrosoft Office XP Service Pack 3 \u2014 Download the update (KB934705)\r\n\u2022\t\r\n\r\nMicrosoft Excel 2002\r\n\u2022\t\r\n\r\nMicrosoft FrontPage 2002\r\n\u2022\t\r\n\r\nMicrosoft Publisher 2002\r\n\u2022\t\r\n\r\nMicrosoft Office 2003 Service Pack 2 \u2014 Download the update (KB934180)\r\n\u2022\t\r\n\r\nMicrosoft Excel 2003\r\n\u2022\t\r\n\r\nMicrosoft FrontPage 2003\r\n\u2022\t\r\n\r\nMicrosoft Publisher 2003\r\n\u2022\t\r\n\r\nMicrosoft Excel 2003 Viewer\r\n\u2022\t\r\n\r\n2007 Microsoft Office System \u2014 Download the update (KB934062)\r\n\u2022\t\r\n\r\nMicrosoft Office Excel 2007\r\n\u2022\t\r\n\r\nMicrosoft Office Publisher 2007\r\n\u2022\t\r\n\r\nMicrosoft Office SharePoint Designer 2007\r\n\u2022\t\r\n\r\nMicrosoft Expression Web\r\n\u2022\t\r\n\r\nMicrosoft Office 2004 for Mac \u2014 Download the update (KB936749)\r\n\r\nNon-Affected Software:\r\n\u2022\t\r\n\r\nMicrosoft Works Suites:\r\n\u2022\t\r\n\r\nMicrosoft Works Suite 2004\r\n\u2022\t\r\n\r\nMicrosoft Works Suite 2005\r\n\u2022\t\r\n\r\nMicrosoft Works Suite 2006\r\n\u2022\t\r\n\r\nMicrosoft Office 2000 Service Pack 3\r\n\u2022\t\r\n\r\nMicrosoft Access 2000\r\n\u2022\t\r\n\r\nMicrosoft Outlook 2000\r\n\u2022\t\r\n\r\nMicrosoft PowerPoint 2000\r\n\u2022\t\r\n\r\nMicrosoft Project 2000 Service Release 1\r\n\u2022\t\r\n\r\nMicrosoft Word 2000\r\n\u2022\t\r\n\r\nMicrosoft Office XP Service Pack 3\r\n\u2022\t\r\n\r\nMicrosoft Access 2002\r\n\u2022\t\r\n\r\nMicrosoft Outlook 2002\r\n\u2022\t\r\n\r\nMicrosoft PowerPoint 2002\r\n\u2022\t\r\n\r\nMicrosoft Project 2002 Service Pack 1\r\n\u2022\t\r\n\r\nMicrosoft Visio 2002\r\n\u2022\t\r\n\r\nMicrosoft Word 2002\r\n\u2022\t\r\n\r\nMicrosoft Office 2003 Service Pack 2:\r\n\u2022\t\r\n\r\nMicrosoft Access 2003\r\n\u2022\t\r\n\r\nMicrosoft InfoPath 2003\r\n\u2022\t\r\n\r\nMicrosoft OneNote 2003\r\n\u2022\t\r\n\r\nMicrosoft Outlook 2003\r\n\u2022\t\r\n\r\nMicrosoft Project 2003\r\n\u2022\t\r\n\r\nMicrosoft PowerPoint 2003\r\n\u2022\t\r\n\r\nMicrosoft PowerPoint 2003 Viewer\r\n\u2022\t\r\n\r\nMicrosoft Visio 2003\r\n\u2022\t\r\n\r\nMicrosoft Word 2003\r\n\u2022\t\r\n\r\nMicrosoft Word 2003 Viewer\r\n\u2022\t\r\n\r\n2007 Microsoft Office System\r\n\u2022\t\r\n\r\nMicrosoft Office Access 2007\r\n\u2022\t\r\n\r\nMicrosoft Office PowerPoint 2007\r\n\u2022\t\r\n\r\nMicrosoft Office Project 2007\r\n\u2022\t\r\n\r\nMicrosoft Office Visio 2007\r\n\u2022\t\r\n\r\nMicrosoft Office Word 2007\r\n\r\nThe software in this list has been tested to determine whether the versions are affected. Other versions are either past their support life cycle or are not affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\nTop of sectionTop of section\r\nGeneral Information\r\n\t\r\nExecutive Summary\r\n\r\nExecutive Summary:\r\n\r\nThis update resolves a privately reported vulnerability. The vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin.\r\n\r\nAn attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhen using vulnerable versions of Office, if a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWe recommend that customers apply the update immediately.\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\nVulnerability Identifiers\tImpact of Vulnerability\tMicrosoft Office 2000 Service Pack 3\tMicrosoft Office XP Service Pack 3\tMicrosoft Office 2003 Service Pack 2\t2007 Microsoft Office System\tMicrosoft Office 2004 for Mac\r\n\r\nDrawing Object Vulnerability - CVE-2007-1747\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\r\nThis assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nI do not have all of the Affected Software installed, but I do have other Microsoft Office applications installed. Why am I being offered the security update? \r\nThis vulnerability affects only the products listed in the Affected Software section. However, other Microsoft Office applications use some of the same files as the products listed in the Affected Software that the security update affects. We recommend installing the update to prevent the security update from being offered again.\r\n\r\nWhat updates does this release replace? \r\nThis security update replaces a prior security update. The security bulletin ID and affected software is listed in the following table.\r\nBulletin ID\tMicrosoft Office 2000 Service Pack 3\tMicrosoft Office XP Service Pack 3 \tMicrosoft Office 2003 Service Pack 2\t2007 Microsoft Office System \tMicrosoft Office 2004 for Mac\r\n\r\nMS07-015\r\n\t\r\n\r\nReplaced\r\n\t\r\n\r\nReplaced\r\n\t\r\n\r\nReplaced\r\n\t\r\n\r\nNot Applicable\r\n\t\r\n\r\nReplaced\r\n\r\nCan I use the Microsoft Baseline Security Analyzer (MBSA) to determine whether this update is required? \r\nThe following table provides the MBSA detection summary for this security update.\r\nSoftware\tMBSA 1.2.1\tMBSA 2.0.1\r\n\r\nMicrosoft Office 2000 Service Pack 3\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nNo\r\n\r\nMicrosoft Office XP Service Pack 3\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Office 2003 Service Pack 2\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\n2007 Microsoft Office System\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Office 2004 for Mac\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nNo\r\n\r\nNote MBSA 1.2.1 uses an integrated version of the Office Detection Tool (ODT) which does not support remote scans of this security update. For more information about MBSA, visit the MBSA Web site.\r\n\r\nFor more information about MBSA, visit the MBSA Web site. For more information about the programs that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660.\r\n\r\nNote for Windows Vista MBSA 2.0.1 is not supported on Windows Vista but supports remote scans of computers running Windows Vista. For additional information about MBSA support for Windows Vista, visit the MBSA Web site. See also Microsoft Knowledge Base Article 931943: Microsoft Baseline Security Analyzer (MBSA) support for Windows Vista.\r\n\r\nFor more detailed information, see Microsoft Knowledge Base Article 910723: Summary list of monthly detection and deployment guidance articles.\r\n\r\nCan I use Systems Management Server (SMS) to determine whether this update is required? \r\nThe following table provides the SMS summary for this security update.\r\nSoftware\tSMS 2.0\tSMS 2003\r\n\r\nMicrosoft Office 2000 Service Pack 3\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nNo\r\n\r\nMicrosoft Office XP Service Pack 3\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Office 2003 Service Pack 2\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\n2007 Microsoft Office System\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Office 2004 for Mac\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nNo\r\n\r\nSMS uses MBSA for detection. Therefore, SMS has the same limitation that is listed earlier in this bulletin related to programs that MBSA does not detect.\r\n\r\nFor SMS 2.0, the SMS SUS Feature Pack, which includes the Security Update Inventory Tool, can be used by SMS to detect security updates. SMS SUIT uses the MBSA 1.2.1 engine for detection. For more information about the Security Update Inventory Tool, visit the following Microsoft Web site. For more information about the limitations of the Security Update Inventory Tool, see Microsoft Knowledge Base Article 306460. The SMS SUS Feature Pack also includes the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.\r\n\r\nFor SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 Inventory Tool for Microsoft Updates, visit the following Microsoft Web site. SMS 2003 can also use the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.\r\n\r\nNote If you have used an Administrative Installation Point (AIP) for deploying Office 2000, Office XP or Office 2003, you may not be able to deploy the update using SMS if you have updated the AIP from the original baseline.\r\n\u2022\t\r\n\r\nFor more information about how to change the source for a client computer from an updated administrative installation point to an Office 2000 original baseline source or Service Pack 3 (SP3), see Microsoft Knowledge Base Article 932889.\r\n\u2022\t\r\n\r\nFor more information on how to change the source for a client computer from an updated administrative installation point to an Office XP original baseline source or Service Pack 3 (SP3), see Microsoft Knowledge Base Article 922665.\r\n\u2022\t\r\n\r\nFor more information about how to change the source for a client computer from an updated administrative installation point to an Office 2003 original baseline source or Service Pack 2 (SP2), see Microsoft Knowledge Base Article 902349.\r\n\r\nFor more information about SMS, visit the SMS Web site.\r\n\r\nFor more detailed information, see Microsoft Knowledge Base Article 910723: Summary list of monthly detection and deployment guidance articles.\r\nTop of sectionTop of section\r\n\t\r\nVulnerability Details\r\n\t\r\nDrawing Object Vulnerability - CVE-2007-1747:\r\n\r\nA remote code execution vulnerability exists in the way Microsoft Office handles a specially crafted drawing object. An attacker could exploit this vulnerability when Office parses a file and processes a malformed drawing object. Such a specially crafted file might be included as an e-mail attachment or hosted on a malicious Web site. An attacker could exploit the vulnerability by constructing a specially crafted Office file containing a malformed drawing object that could allow remote code execution.\r\n\t\r\nMitigating Factors for Drawing Object Vulnerability - CVE-2007-1747:\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker would have to host a Web site that contains an Office file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.\r\n\u2022\t\r\n\r\nThe vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.\r\n\u2022\t\r\n\r\nUsers who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document. The features of the Office Document Open Confirmation Tool are incorporated in Office XP and Office 2003.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Drawing Object Vulnerability - CVE-2007-1747:\r\n\u2022\t\r\n\r\nUse Microsoft Word Viewer 2003 to open and view files. The Microsoft Word Viewer 2003 is not affected by the issue. Users can download Microsoft Word Viewer 2003 from the Microsoft Download Center.\r\n\u2022\t\r\n\r\nDo not open or save Microsoft Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Drawing Object Vulnerability - CVE-2007-1747:\r\n\r\nWhat is the scope of the vulnerability? \r\nA remote code execution vulnerability exists in the way Microsoft Office handles a specially crafted drawing object. An attacker could exploit this vulnerability by getting a user into opening a specially crafted file containing a malicious drawing object. Such a specially crafted file might be included as an e-mail attachment or hosted on a malicious Web site. Opening a specially crafted file could allow remote code execution in the security context of the logged on user.\r\n\r\nIf the user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability? \r\nOffice does not perform sufficient data validation when parsing Office drawing objects. When Office opens a specially crafted Office file and parses a malformed drawing object, it may corrupt memory in such a way that an attacker could execute arbitrary code.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could run arbitrary code on a user\u2019s system. This could allow an attacker to take complete control of the affected system.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nIn an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted file to the user and by convincing the user to open the file.\r\n\r\nIn a Web-based attack scenario, an attacker would have to host a Web site that contains a Office file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nI don\u2019t have any of the affected software installed on my system but I do have MSO.dll on my system and I am getting offered the security update, why?\r\nMSO.dll is a file shared between Office applications; only customers having an Office application called out as affected are at risk from this vulnerability. Since the file is on the system even if you don\u2019t have an affected Office application installed Microsoft recommends that you install the security update.\r\n\r\nWhat does the update do? \r\nThe update removes the vulnerability by modifying the way that Microsoft Office handles certain drawing objects.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued. This security bulletin addresses the privately disclosed vulnerability as well as additional issues discovered through internal investigations.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nDisclaimer:\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions: \r\n\u2022\t\r\n\r\nV1.0 (May 8, 2007): Bulletin published.", "edition": 1, "reporter": "Securityvulns", "published": "2007-05-08T00:00:00", "title": "Microsoft Security Bulletin MS07-025 Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:22", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2007-1747"], "modified": "2007-05-08T00:00:00", "id": "SECURITYVULNS:DOC:16960", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16960", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}