CVE-2015-2467
published 2015-08-15CVE-2015-2467: Microsoft Office 2007 SP3 allows remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability."
PriorityP267critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
27.69%
97.8th percentile
Microsoft Office 2007 SP3 allows remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | office | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is a Use-After-Free in mso.dll (version 12.0.6721.5000) triggered during parsing of a crafted .doc file. The crash occurs at mso!Ordinal2690+0x457 (EIP 32fbca76) when dereferencing freed heap memory via EDI register. ↗
- →The malicious .doc file contains 2-bit changes from the original at file offsets 0x11E60 and 0x1515F. These offsets can be used as a byte-level signature to identify the minimized PoC document. ↗
- →The crash call stack involves mso!Ordinal2690 and wwlib!wdCommandDispatch. Monitor for abnormal call chains originating from these ordinals in mso.dll and wwlib.dll when processing Word documents. ↗
- →The free of the exploited heap block is performed by mso!Ordinal1743, mso!MsoFreePv, mso!Ordinal519, mso!Ordinal320, and mso!Ordinal379. Heap spray or use-after-free detection on these ordinals in mso.dll version 12.0.6721.5000 may identify exploitation attempts. ↗
- →Exploitation targets Microsoft Office 2007 SP3 (mso.dll 12.0.6721.5000, wwlib.dll 12.0.6720.5000) on Windows 2003 x86. The vulnerability does not reproduce in Office 2010 on Windows 7 x86, helping scope detection to legacy environments. ↗
- ·The PoC crash was only reproducible with Microsoft Office File Validation Add-In disabled. Environments with this add-in enabled may not trigger the vulnerability under the same conditions. ↗
- ·The vulnerability does not reproduce in Office 2010 on Windows 7 x86; detection and patching efforts should be scoped to Office 2007 SP3 on Windows 2003 x86 environments. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.securitytracker.com/id/1033239https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-081https://www.exploit-db.com/exploits/37913/http://www.securitytracker.com/id/1033239https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-081https://www.exploit-db.com/exploits/37913/
2015-08-15
Published