CVE-2015-0097

Vulnerability

Microsoft Office 2007 SP3 (Excel, PowerPoint, Word) and Office 2010 SP2 (Excel, PowerPoint, Word) improperly handle specially crafted documents that reference a Works document (.wps) as HTML. When a user opens such a malicious file, the application processes the embedded HTML and script code in the context of the Local Machine Zone of Internet Explorer, bypassing security restrictions. This results in a remote code execution vulnerability, documented as CVE-2015-0097 and addressed by MS15-022 [1][2].

Exploitation

An attacker must deliver a crafted Office document (e.g., .doc, .rtf with a trailing space, or .wps) to a target and persuade the user to open it. No additional authentication or network position beyond user interaction is required. The exploit code demonstrates that by crafting a specially formed file, the Office application parses the reference as HTML and executes script within the Local Machine Zone [2].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current logged-on user. If the user has administrative rights, the attacker gains full control of the system, including the ability to install programs, view/change/delete data, and create new accounts with full user rights. The confidentiality, integrity, and availability of the affected system are all compromised [1][2].

Mitigation

Microsoft released security update MS15-022 (KB3038999) in March 2015, which corrects how Office parses specially crafted files and handles files in memory, thereby preventing the Local Machine Zone escalation. All users of the affected Office versions (2007 SP3 and 2010 SP2) should apply the update. No workarounds are documented for unpatched systems; upgrading to a supported version or applying the security update is the only recommended mitigation [1].