vendor:
Microsoft Office 2007
by:
Eduardo Braun Prado
9.3
CVSS
HIGH
Remote Code Execution
94
CWE
Product Name: Microsoft Office 2007
Affected Version From: 2007
Affected Version To: 2007
Patch Exists: Yes
Related CWE: CVE-2015-0097
CPE: a:microsoft:office:2007
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Microsoft Windows XP, 2003, Vista, 2008, 7, 8, 8.1
2015
Microsoft Word Local Machine Zone Remote Code Execution Vulnerability
Microsoft Word, Excel and Powerpoint 2007 contains a remote code execution vulnerability because it is possible to reference documents such as Works document (.wps) as HTML. It will process HTML and script code in the context of the local machine zone of Internet Explorer which leads to arbitrary code execution. By persuading users into opening eg. specially crafted .WPS, ".doc ", ".RTF " (with a space at the end) it is possible to triggerthe vulnerability and run arbitrary code in the context of the logged on Windows user.
Mitigation:
Microsoft has released a security update to address this vulnerability. Users should apply the update as soon as possible.
