cbcvebase.
CVE-2015-2470
published 2015-08-15

CVE-2015-2470: Integer underflow in Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office 2013 RT SP1, Office for Mac 2011, and Word Viewer allows remote…

PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
26.86%
97.8th percentile
Integer underflow in Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office 2013 RT SP1, Office for Mac 2011, and Word Viewer allows remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Integer Underflow Vulnerability."

Affected

4 ranges
VendorProductVersion rangeFixed in
microsoftoffice
microsoftoffice
microsoftoffice
microsoftword

Detection & IOCsextracted from sources · hover to see the quote

filename3423415565_min.doc
filename3423415565_crash.doc
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37924.zip
  • Crash occurs in MSPTLS!LssbFIsSublineEmpty+0xa327 at instruction `mov edx,dword ptr [esi+70h]` due to integer underflow causing a negative index in EDI, resulting in out-of-bounds memory access. Monitor for crashes or AV hits in msptls.dll at this offset.
  • The triggering byte delta is a 1-bit change at file offset 0xA9B0 in the crafted .doc file. Inspect suspicious .doc files for anomalies at this offset.
  • ESI register holds application verifier heap canary value 0xabcdbbbb at crash time, indicating heap corruption via out-of-bounds pointer dereference in MSPTLS. Presence of this canary in crash dumps is a strong indicator of exploitation attempt.
  • Vulnerable DLL versions: wwlib.dll 12.0.6720.5000 and msptls.dll 12.0.6682.5000 (Office 2007). Flag processes loading these specific DLL versions opening .doc files.
  • The vulnerability is triggered via a crafted .doc file delivered to Microsoft Office (WINWORD.EXE). Monitor WINWORD.EXE for abnormal child process spawning or memory access violations in msptls.dll after opening .doc files.
  • ·Crash was observed with Microsoft Office File Validation Add-In disabled; enabling the add-in may prevent exploitation or alter crash behavior.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.