Executive Summary
| Summary | |
|---|---|
| Title | Vulnerability in Microsoft Project Could Allow Remote Code Execution (950183) |
| Informations | |||
|---|---|---|---|
| Name | MS08-018 | First vendor Publication | 2008-04-08 |
| Vendor | Microsoft | Last vendor Modification | 2008-09-10 |
| Severity (Vendor) | Critical | Revision | 1.3 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 9.3 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Revision Note: V1.3 (September 10, 2008): Bulletin updated: Added entry to Update FAQ to clarify why this update is Critical for Project 2000 but only Important for all other affected versions of Project.Summary: This security update resolves a privately reported vulnerability in Microsoft Project that could allow remote code execution if a user opens a specially crafted Project file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
Original Source
| Url : http://www.microsoft.com/technet/security/bulletin/MS08-018.mspx |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-399 | Resource Management Errors |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:5384 | |||
| Oval ID: | oval:org.mitre.oval:def:5384 | ||
| Title: | Project Memory Validation Vulnerability | ||
| Description: | Microsoft Project 2000 Service Release 1, 2002 SP1, and 2003 SP2 allows user-assisted remote attackers to execute arbitrary code via a crafted Project file, related to improper validation of "memory resource allocations." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2008-1088 | Version: | 5 |
| Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista | Product(s): | Microsoft Project 2000 Microsoft Project 2002 Microsoft Project 2003 |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 3 |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 44212 | Microsoft Project File Handling Unspecified Arbitrary Code Execution An unspecified memory corruption flaw exists in Project. With a specially crafted Project file, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity. |
Snort® IPS/IDS
| Date | Description |
|---|---|
| 2014-01-10 | Microsoft Project Invalid Memory Pointer Code Execution attempt RuleID : 17382 - Revision : 10 - Type : FILE-OTHER |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2008-04-11 | Name : Arbitrary code can be executed on the remote host through Microsoft Project. File : smb_nt_ms08-018.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:45:55 |
|
| 2013-05-11 00:49:18 |
|
