Vulnerability Details Basic Information Advisory Date: August 24th, 2015 Title: Hewlett-Packard KeyView IDOL DOCX Parsing Remote Code Execution Vulnerability IDs: - ZDI-15-398 - ZDI-CAN-2885 CVE ID: CVE-2015-5424 CVSS Score: - 7.5 - AV:N/AC:L/Au:N/C:P/I:P/A:P Affected Vendor: Hewlett-Packard Product: KeyView IDOL Details Vulnerability: This issue permits remote attackers to execute arbitrary code on a vulnerable Hewlett-Packard KeyView IDOL system. For exploitation, the victim needs to access a harmful web page or open a harmful file. Technical Description: The issue is associated with the processing of DOCX files. It is feasible to create a use-after-free condition when handling tag data inside a DOCX. A remote attacker can exploit this to run arbitrary code with the privileges of the affected process. Additional Vendor Response: Hewlett-Packard has provided an update to mitigate this vulnerability. Further information is available at: Vendor Announcement Timeline 2015-05-19: Vulnerability notified to vendor 2015-08-24: Public advisory launch Research Credit Discoverer: ASD - Vulnerability Research