CVE-2017-0199 – Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API

  • 19
    Shares

The newly discovered zero-day vulnerability (CVE-2017-0199) in Microsoft Office/WordPad is being actively exploited in the wild. Almost all Microsoft Office versions are affected with this bug. To fix this vulnerability, Microsoft released a security update on April 11, 2017.

Vulnerable Versions

According to Microsoft, the following are the affected products (past support life cycle products are not present in this list):

  • Microsoft Office 2007 Service Pack 3
  • Microsoft Office 2010 Service Pack 2 (32-bit editions)
  • Microsoft Office 2010 Service Pack 2 (64-bit editions)
  • Microsoft Office 2013 Service Pack 1 (64-bit editions)
  • Microsoft Office 2016 (32-bit edition)
  • Microsoft Office 2016 (64-bit edition)
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for Itanium-Based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2

Vulnerability (CVE-2017-0199)

The vulnerability lies in Microsoft Office/WordPad and can allow remote code execution while opening a specially crafted office file. After a successful exploitation, the attacker can take control of the vulnerable system and will be able to download and execute malware on it.

Quick Heal Detections

Quick Heal has released the following detection for vulnerability CVE-2017-0199.

  • Exp.RTF.CVE-2017-0199

Conclusion

As malware actors have already started using this particular Microsoft Office exploit, we are expecting more malicious campaigns to be devised around it. As mentioned earlier, this vulnerability has been patched and the security updates are available for it. We strongly recommend users to apply the latest security updates released by Microsoft and also apply the latest security updates by Quick Heal.

ACKNOWLEDGEMENT

  • PawanKumar Chaudhari
  • Pradeep Kulkarni
    – Vulnerability Research Team, Quick Heal
Pradeep Kulkarni

Pradeep Kulkarni


No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image