Vulnerability  oval:org.mitre.oval:def:28356
Microsoft office memory corruption vulnerability – CVE-2015-0086 (MS15-022)  

Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 Gold and SP1, Word 2013 RT Gold and SP1, Word Viewer, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2, Word Automation Services on SharePoint Server 2013 Gold and SP1, Web Applications 2010 SP2, and Web Apps Server 2013 Gold and SP1 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted RTF document, aka "Microsoft Office Memory Corruption Vulnerability."
Create Date: 2015-03-17 Last Update Date: 2015-04-27

Affected Platforms/Products

Affected Products (CPE + CVE references)
Platforms: windows (from OVAL definitions) Products: windows
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2012
  • Microsoft Windows 8.1
  • Microsoft Windows 8
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows 7
  • Microsoft Windows Server 2008
  • Microsoft Windows Vista
  • Microsoft Windows Server 2003
  • Microsoft Word Viewer
  • Microsoft Word 2013
  • Microsoft Office 2010
  • Microsoft Word 2010
  • Microsoft Word 2007
  • Microsoft SharePoint Server 2013
  • Microsoft SharePoint Server 2010
  • Microsoft Office Web Apps Server 2013
  • Microsoft Office Web Apps 2010
  • Microsoft Office Compatibility Pack

References

Criteria

The system is vulnerable
IF : Any one of the following are true
IF : All of the following are true Office Web Apps 2013 and vulnerable file version
Prerequisites (Extended Definitions)
Microsoft Office Web Apps Server 2013 is installed oval:org.mitre.oval:def:22312
IF : Check if the version of msoserver.dll is less than 15.0.4701.1000
Windows : File Test :  Check if the version of msoserver.dll is less than 15.0.4701.1000 
At least one of the objects listed below must exist on the system (Existence check)
Windows : File Object holds the details of Msoserver.Dll (Office Web Apps 2013)
[[value of ${{windows:registry_object:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.WacServer : InstallLocation}}]]\PPTConversionService\bin\Converter\msoserver.dll
version less than 15.0.4701.1000 (datatype=version)
State holds if the version is less than 15.0.4701.1000 windows : file_state 
IF : All of the following are true Sharepoint Server 2010 and vulnerable file version
Prerequisites (Extended Definitions)
Microsoft Office SharePoint Server 2010 is installed. oval:org.mitre.oval:def:12880
IF : Check if the version of msoserver.dll is less than 14.0.7145.5000
Windows : File Test :  Check if the version of msoserver.dll is less than 14.0.7145.5000 
At least one of the objects listed below must exist on the system (Existence check)
Windows : File Object holds the details of Msoserver.Dll(Sharepoint Server)
[[value of ${{windows:registry_object:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.OSERVER : InstallLocation}}]]\14.0\WebServices\WordServer\Core\msoserver.dll
version less than 14.0.7145.5000 (datatype=version)
State holds if the version is less than 14.0.7145.5000 windows : file_state 
IF : All of the following are true Sharepoint Server 2013 and vulnerable file version
Prerequisites (Extended Definitions)
Microsoft SharePoint Server 2013 is installed oval:org.mitre.oval:def:16325
IF : Check if the version of wwintl.dll is less than 15.0.4631.1000
Windows : File Test :  Check if the version of wwintl.dll is less than 15.0.4631.1000 
At least one of the objects listed below must exist on the system (Existence check)
Windows : File Object holds the details of wwintl.dll
[[value of ${{windows:registry_object:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.OSERVER : InstallLocation}}]]\15.0\WebServices\ConversionServices\wwintl.dll
version less than 15.0.4631.1000 (datatype=version)
State holds if the version is less than 15.0.4631.1000 windows : file_state 
IF : All of the following are true Office Web Apps 2010 and vulnerable file version
Prerequisites (Extended Definitions)
Microsoft Office Web Apps 2010 is installed oval:org.mitre.oval:def:15787
IF : Check if the version of msoserver.dll is less than 14.0.7145.5000
Windows : File Test :  Check if the version of msoserver.dll is less than 14.0.7145.5000 
At least one of the objects listed below must exist on the system (Existence check)
Windows : File Object holds the details of Msoserver.Dll(Web Apps)
[[value of ${{windows:registry_object:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.WCSERVER : InstallLocation}}]]\14.0\WebServices\ConversionService\Bin\Converter\msoserver.dll
version less than 14.0.7145.5000 (datatype=version)
State holds if the version is less than 14.0.7145.5000 windows : file_state 
IF : All of the following are true Office Compatibility Pack 2007 and vulnerable version
Prerequisites (Extended Definitions)
Microsoft Office Compatibility Pack is installed oval:org.mitre.oval:def:1853
IF : Any one of the following are true Check for vulnerable versions
IF : Check if the version of excelcnv.exe is less than 12.0.6717.5000
Windows : File Test :  Check if the version of excelcnv.exe is less than 12.0.6717.5000 
At least one of the objects listed below must exist on the system (Existence check)
Windows : File 
[[value of ${{windows:registry_object:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion : ProgramFilesDir [behaviours=]}}]]\Microsoft Office\Office12\excelcnv.exe
version less than 12.0.6717.5000 (datatype=version)
State holds if the version is less than 12.0.6717.5000 windows : file_state 
IF : Check if the version of wordcnv.dll is less than 12.0.6717.5000
Windows : File Test :  Check if the version of wordcnv.dll is less than 12.0.6717.5000 
At least one of the objects listed below must exist on the system (Existence check)
Windows : File 
[[value of ${{windows:registry_object:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion : ProgramFilesDir [behaviours=]}}]]\Microsoft Office\Office12\wordcnv.dll
version less than 12.0.6717.5000 (datatype=version)
State holds if the version is less than 12.0.6717.5000 windows : file_state 
IF : All of the following are true Word 2013 and vulnerable file version
Prerequisites (Extended Definitions)
Microsoft Word 2013 is installed oval:org.mitre.oval:def:15560
IF : Check if the version of winword.exe is less than 15.0.4701.1001
Windows : File Test :  Check if the version of winword.exe is less than 15.0.4701.1001 
At least one of the objects listed below must exist on the system (Existence check)
Windows : File 
[regex_capture=[[[value of ${{windows:registry_object:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe : Path}}]]]][pattern=^(.*[^\\])\\?$] \winword.exe
version less than 15.0.4701.1001 (datatype=version)
State holds if the version is less than 15.0.4701.1001 windows : file_state 
IF : All of the following are true Word 2010 and vulnerable file version
Prerequisites (Extended Definitions)
Microsoft Word 2010 is installed oval:org.mitre.oval:def:7631
IF : Check if the version of winword.exe is less than 14.0.7145.5001
Windows : File Test :  Check if the version of winword.exe is less than 14.0.7145.5001 
At least one of the objects listed below must exist on the system (Existence check)
Windows : File Word 2010 winword.exe
[regex_capture=[[[value of ${{windows:registry_object:\}}]]]][pattern=^(.*[^\\])\\?$] \winword.exe
version less than 14.0.7145.5001 (datatype=version)
State holds if the version is less than 14.0.7145.5001 windows : file_state 
IF : All of the following are true Word 2007 and vulnerable file version
Prerequisites (Extended Definitions)
Microsoft Word 2007 is installed oval:org.mitre.oval:def:2074
IF : Check if the version of winword.exe is less than 12.0.6718.5000
Windows : File Test :  Check if the version of winword.exe is less than 12.0.6718.5000 
At least one of the objects listed below must exist on the system (Existence check)
Windows : File Word 2007 winword.exe
[regex_capture=[[[value of ${{windows:registry_object:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\Word\InstallRoot : Path [behaviours=]}}]]]][pattern=^(.*[^\\])\\?$] \winword.exe
version less than 12.0.6718.5000 (datatype=version)
State holds if the version is less than 12.0.6718.5000 windows : file_state 
IF : All of the following are true Office 2010 and vulnerable file version
Prerequisites (Extended Definitions)
Microsoft Office 2010 is installed oval:org.mitre.oval:def:12061
IF : Any one of the following are true Check for vulnerable versions
IF : Check if the version of oartconv.dll is less than 14.0.7134.5000
Windows : File Test :  Check if the version of oartconv.dll is less than 14.0.7134.5000 
At least one of the objects listed below must exist on the system (Existence check)
Windows : File 
[[value of ${{windows:registry_object:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion : ProgramFilesDir [behaviours=]}}]]\Microsoft Office\OFFICE14\oartconv.dll
version less than 14.0.7134.5000 (datatype=version)
State holds if the version is less than 14.0.7134.5000 windows : file_state 
IF : Check if the version of oart.dll is less than 14.0.7134.5000
Windows : File Test :  Check if the version of oart.dll is less than 14.0.7134.5000 
At least one of the objects listed below must exist on the system (Existence check)
Windows : File 
[[value of ${{windows:registry_object:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion : ProgramFilesDir [behaviours=]}}]]\Microsoft Office\OFFICE14\oart.dll
version less than 14.0.7134.5000 (datatype=version)
State holds if the version is less than 14.0.7134.5000 windows : file_state 
IF : Check if the version of mso.dll is less than 14.0.7145.5000
Windows : File Test :  Check if the version of mso.dll is less than 14.0.7145.5000 
At least one of the objects listed below must exist on the system (Existence check)
Windows : File Path to existing Mso.dll
\
version less than 14.0.7145.5000 (datatype=version)
State holds if the version is less than 14.0.7145.5000 windows : file_state 
IF : All of the following are true Word Viewer 2003 and vulnerable file version
Prerequisites (Extended Definitions)
Microsoft Word Viewer is installed oval:org.mitre.oval:def:737
IF : Check if the version of wordview.exe is less than 11.0.8416
Windows : File Test :  Check if the version of wordview.exe is less than 11.0.8416 
At least one of the objects listed below must exist on the system (Existence check)
Windows : File Object holds, if file wordview.exe is present
[[value of ${{windows:registry_object:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wordview.exe : Path [behaviours=]}}]]\wordview.exe
version less than 11.0.8416 (datatype=version)
State holds if the version is less than 11.0.8416 windows : file_state 

Quick Help

References To Objects
[[ .. ${{...}}]] are refences to values of other objects.
Other Help Topics
Data Types
What is an Object?
What is a State?
What is a Test?
Other Help Topics
Regular Expression Patterns
Some object or state definitions are defined as regular expression patterns, you should interpret the regexp pattern while evaluating them.

OVAL Definitions By Referenced Objects

How does it work?   User agreement and privacy statement   About & Contact
CVE is a registred trademark of the MITRE Corporation and the authoritive source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritive source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritive source of OVAL content is MITRE's OVAL web site.
Warning: This site and all data are provided as is. It is not guaranteed that all information is accurate and complete. Use any information provided on this site at your own risk. By using this site you accept that you know that these data are provided as is and not guaranteed to be accurate, correct or complete. All trademarks appearing on this site are the property of their respective owners in the US or other countries. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss. PLEASE SEE nvd.nist.gov and oval.mitre.org for more details about OVAL language and definitions.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor/web site owner/maintainer be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Use of OVAL and all related data is subject to terms of use defined by Mitre at http://oval.mitre.org/oval/about/termsofuse.html