Attacker Value
Very High
CVE-2010-3333
Attacker Value
Very High
(1 user assessed)
Exploitability
High
(1 user assessed)User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Metasploit Module
Description
Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka “RTF Stack Buffer Overflow Vulnerability.”
Add Assessment
2
Technical Analysis
Was the bread and butter for many phishing campaigns for years.
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown
General Information
Vendors
- microsoft
Products
- office 2003,
- office 2004,
- office 2007,
- office 2008,
- office 2010,
- office 2011,
- office xp,
- open xml file format converter
Metasploit Modules
Exploited in the Wild
References
Advisory
Thanks,
Can you add any more context to this report, that would help people understand the risks wIth this exploit?
As it is from 2010 I would not expect it to to have significant attacker value or be common in enterprise environments any more.
I replied to your other similar comment on 2012-0158, but said another way it’s hard for me to imagine the purpose of this rating system is to go through and down-rate vulnerabilities over time as patches are created and deployed. The rating I gave is my opinion based on the vulnerability at the time it came out. If your Office isn’t vulnerable to this exploit (and it shouldn’t be), then obviously the rating doesn’t apply to you. This is even true of 0-days.
Thank you, I agree that over time I would not expect to continuously adjust the scores and I completely agree with your statements, I just think that it would be useful for others who may not know to include that kind of detail in the initial analysis.