Executive Summary
Summary | |
---|---|
Title | Microsoft Office Project vulnerable to remote code execution via specially crafted Project file |
Informations | |||
---|---|---|---|
Name | VU#155563 | First vendor Publication | 2008-04-08 |
Vendor | VU-CERT | Last vendor Modification | 2008-04-29 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#155563Microsoft Office Project vulnerable to remote code execution via specially crafted Project fileOverviewA vulnerability in the way Microsoft Office Project parses files may lead to execution of arbitrary code.I. DescriptionMicrosoft Office Project contains a vulnerability that could be exploited when Project attempts to parse specially crafted files. According to Microsoft Security Bulletin MS08-018, "Microsoft Project does not properly validate memory resource allocations when opening Project files."II. ImpactA remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the affected user or cause a denial-of-service condition.III. SolutionUpdateMicrosoft has released an update to address this issue. See Microsoft Security Bulletin MS08-018 for more details.
References
This vulnerability was reported in Microsoft Security Bulletin MS08-018. Microsoft credits National Cyber Security Center, The Republic of Korea for reporting this Project Memory Validation Vulnerability. This document was written by Chris Taschner.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/155563 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-399 | Resource Management Errors |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:5384 | |||
Oval ID: | oval:org.mitre.oval:def:5384 | ||
Title: | Project Memory Validation Vulnerability | ||
Description: | Microsoft Project 2000 Service Release 1, 2002 SP1, and 2003 SP2 allows user-assisted remote attackers to execute arbitrary code via a crafted Project file, related to improper validation of "memory resource allocations." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2008-1088 | Version: | 5 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista | Product(s): | Microsoft Project 2000 Microsoft Project 2002 Microsoft Project 2003 |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 3 |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
44212 | Microsoft Project File Handling Unspecified Arbitrary Code Execution An unspecified memory corruption flaw exists in Project. With a specially crafted Project file, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity. |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | Microsoft Project Invalid Memory Pointer Code Execution attempt RuleID : 17382 - Revision : 10 - Type : FILE-OTHER |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2008-04-11 | Name : Arbitrary code can be executed on the remote host through Microsoft Project. File : smb_nt_ms08-018.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2015-04-15 13:28:37 |
|
2013-05-11 00:56:52 |
|