cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
GdB
Level 8
Report Inappropriate Content
Message 1 of 2

Massive Vevent vulnerability exploitation

Hello everyone,

 

I'm seeing a weird attempt using the Vevent Vulnerability in my parc.

About 0.2-0.3 % of my machines generate a huge amout of threat event about this vevent vulnerability. The strange point is that this vulnerability concerns only outdated Outlooks (2002-2003) when we have 2010 Outlooks.

Another strange point is that each infected workstation doesn't react the same way : some will generate "only" 100 threat event in a few seconds then completely stop. Some other never stop and have generated already more than 37k events. Always the same type of event, but with random .ics files being targeted. The workstation generates between 1k and 3k events in one day. The days where it's generating events seems random.

I asked my SOC, they have no idea on the root cause, and have not seen the infection vector.

 

Have you ever seen something like this before? And have you any idea in order to get rid of this? It's not threatning but it's a form of spam which I don't quite like.

 

Best regards,

GdB

1 Reply
Reliable Contributor ninov_n
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: Massive Vevent vulnerability exploitation

Hello,

It is really strange if you see this behavior on newer versions of Outlook. Probably there are some registry entries referring to that vulnerability. I do not exclude these to be false-positive events in result of corrupted contents or anti-virus product.

I would advise you to reinstall VSE/ENS you are using and review the applied policies with exact Exploit prevention rules/contents. In case you recently migrated or upgraded versions you can also test applying a new policy.

Otherwise you can go on and test some of the workarounds mentioned here:

‘Microsoft Outlook Code Execution (MS07-003)’

Also you can find additional details here:

Microsoft.Outlook.Remote.Code.Execution.MS07-003

HTTP MS Outlook VEVENT Code Exec

Microsoft Outlook VEVENT Remote Code Execution

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino
Tags (1)

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community