CVE-2017-11826 – Microsoft Office Memory Corruption Vulnerability – an Alert by Quick Heal Security Labs

The recent zero-day vulnerability in Microsoft Office vulnerability CVE-2017-11826 enables attackers to perform a Remote Code Execution on targeted machines. According to a recently published blog post, this vulnerability is being exploited in the wild. Microsoft has released a security update on October 10, 2017, to fix this issue.

Vulnerable versions

The following versions of Microsoft products are affected by this vulnerability:

  • Microsoft Office Compatibility Pack Service Pack 3
  • Microsoft Office Online Server 2016
  • Microsoft Office Web Apps Server 2010 Service Pack 2
  • Microsoft Office Web Apps Server 2013 Service Pack 1
  • Microsoft Office Word Viewer
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft Word 2007 Service Pack 3
  • Microsoft Word 2010 Service Pack 2 (32-bit editions)
  • Microsoft Word 2010 Service Pack 2 (64-bit editions)
  • Microsoft Word 2013 RT Service Pack 1
  • Microsoft Word 2013 Service Pack 1 (32-bit editions)
  • Microsoft Word 2013 Service Pack 1 (64-bit editions)
  • Microsoft Word 2016 (32-bit edition)
  • Microsoft Word 2016 (64-bit edition)
  • Word Automation Services

 About the vulnerability

This is a type-confusion vulnerability in Microsoft Word which allows attackers to perform a Remote Code Execution on targeted machines. After successful exploitation, attackers can take control of the vulnerable systems and download and execute programs on them.

Reportedly, the vulnerability is currently being exploited in the wild through a malicious RTF document. This RTF file is an initial attack vector that makes a request to a CNC server to download and execute the malware.

According to a VirusTotal report, Quick Heal products successfully detected the exploit with one of its generic detections – ‘Exp.Shell.Gen.Q’.

Quick Heal detections

Quick Heal has released the following detection for the vulnerability CVE-2017-11826:

  • Exp.OLE.CVE-2017-11826
  • Exp.Shell.Gen.Q

The additional detection ‘Exp.OLE.CVE-2017-11826’ will be available to Quick Heal users in the next update.

Indicators of compromise

b2ae500b7376044ae92976d9e4b65af8

Subject Matter Experts

• Pradeep Kulkarni, Pavankumar Chaudhari | Quick Heal Security Labs

Pradeep Kulkarni

Pradeep Kulkarni


No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image