Blog

Pradeep Kulkarni
CVE-2017-0199 – Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API
April 14, 2017

Joomla Exploit

The newly discovered zero-day vulnerability (CVE-2017-0199) in Microsoft Office/WordPad is being actively exploited in the wild. Almost all Microsoft Office versions are affected with this bug. To fix this vulnerability, Microsoft released a security update on April 11, 2017.

Vulnerable Versions

According to Microsoft, the following are the affected products (past support life cycle products are not present in this list):

  • Microsoft Office 2007 Service Pack 3
  • Microsoft Office 2010 Service Pack 2 (32-bit editions)
  • Microsoft Office 2010 Service Pack 2 (64-bit editions)
  • Microsoft Office 2013 Service Pack 1 (64-bit editions)
  • Microsoft Office 2016 (32-bit edition)
  • Microsoft Office 2016 (64-bit edition)
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for Itanium-Based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2

Vulnerability (CVE-2017-0199)

The vulnerability lies in Microsoft Office/WordPad and can allow remote code execution while opening a specially crafted office file. After a successful exploitation, the attacker can take control of the vulnerable system and will be able to download and execute malware on it.

Quick Heal Detections

Quick Heal has released the following detection for vulnerability CVE-2017-0199.

  • Exp.RTF.CVE-2017-0199

Conclusion

As malware actors have already started using this particular Microsoft Office exploit, we are expecting more malicious campaigns to be devised around it. As mentioned earlier, this vulnerability has been patched and the security updates are available for it. We strongly recommend users to apply the latest security updates released by Microsoft and also apply the latest security updates by Quick Heal.

ACKNOWLEDGEMENT

  • PawanKumar Chaudhari
  • Pradeep Kulkarni
    – Vulnerability Research Team, Quick Heal

Have something to add to this story? Share it in the comments.

Pradeep Kulkarni
About Pradeep Kulkarni
Pradeep Kulkarni is leading the IPS team in Quick Heal Technologies Limited. Having worked in the IT security industry for over 11 years, he has worked on various...
Articles by Pradeep Kulkarni »

No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image