External risk intelligence

Microsoft Office Arbitrary Code Execution Vulnerability.

CVE advisoryKnown Exploit

CVE-2015-1642

Microsoft Office contains a memory corruption flaw that permits attackers to execute arbitrary code via a crafted document. This impacts systems processing affected documents and carries business risk.

1Halo Surface Signal

Out-of-bounds Write

Microsoft Office

200720102013

External exposure likelihood

Halo Surface Signal score for CVE-2015-1642

This vulnerability resides in Microsoft Office client software. Exploitation requires a user to open a specially crafted document, which is a client-side interaction. It is not an internet-facing service, network gateway, or appliance, and therefore does not have a public-internet-facing attack surface.

Horizon Alert

Summary of the vulnerability and why it matters

Microsoft Office applications contain a memory corruption flaw that could allow an attacker to execute arbitrary code. This vulnerability arises when an application processes a specially crafted document. Successful exploitation could lead to the execution of malicious code, impacting the confidentiality, integrity, and availability of affected systems and data.

Vulnerable Microsoft Office versions
Memory corruption flaw
Arbitrary code execution

Attack Path

How an attacker could exploit the issue

This vulnerability allows an attacker to execute arbitrary code on a targeted system by creating a malicious document. When an unsuspecting employee opens this crafted document, the attacker can gain control over the system. This impacts the confidentiality, integrity, and availability of the affected system and any data it processes. The risk to the organization includes potential data breaches, system compromise, and disruption of business operations.

A crafted document is presented to an employee.
The employee opens the malicious document.
Attacker gains code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for arbitrary code execution when a user opens a specially crafted document. The potential impact includes unauthorized access to systems and sensitive data. Given the widespread use of the affected software, organizations should prioritize mitigation.

Likely attacker skill: Any
Required access: User interaction with document
Business risk: High, requires urgent attention

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Microsoft Office could allow attackers to execute arbitrary code through crafted documents. The risk primarily affects organizations that use specific versions of Microsoft Office, potentially impacting employee productivity and data integrity. Understanding and mitigating this risk is crucial for maintaining a secure operating environment.

Find affected Office assets.
Reduce exposure through user awareness.
Apply vendor fixes and verify.
Monitor for related activity.

Frequently asked questions

What is Microsoft Office used for and which versions are affected by CVE-2015-1642?

Microsoft Office is a suite of applications used for productivity tasks like word processing, spreadsheets, and presentations. The affected versions include Office 2007 SP3, Office 2010 SP2, and Office 2013 SP1.

What type of weakness does CVE-2015-1642 represent?

CVE-2015-1642 is a memory corruption vulnerability, specifically a CWE-787: Out-of-bounds Write. This means the software incorrectly handles data that exceeds allocated buffer boundaries, which attackers can exploit.

How could an attacker trigger this Microsoft Office vulnerability?

An attacker could trigger this vulnerability by enticing a user to open a specially crafted document. The vulnerability is not triggered if the document is not opened or if the user's version of Office is not affected.

Who should be concerned about this internal Microsoft Office vulnerability?

Organizations running affected versions of Microsoft Office internally should be concerned. This is because exploitation requires a user to interact with a malicious document, indicating a client-side attack vector rather than a direct internet-facing service.

What is the first step to address this Microsoft Office vulnerability?

The first step is to identify all assets running the affected versions of Microsoft Office. This inventory will help in planning and applying vendor-provided fixes.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.