The recent zero-day vulnerability in Microsoft Office vulnerability CVE-2017-11826 enables attackers to perform a Remote Code Execution on targeted machines. According to a recently published blog post, this vulnerability is being exploited in the wild. Microsoft has released a security update on October 10, 2017, to fix this issue.
The following versions of Microsoft products are affected by this vulnerability:
- Microsoft Office Compatibility Pack Service Pack 3
- Microsoft Office Online Server 2016
- Microsoft Office Web Apps Server 2010 Service Pack 2
- Microsoft Office Web Apps Server 2013 Service Pack 1
- Microsoft Office Word Viewer
- Microsoft SharePoint Enterprise Server 2016
- Microsoft Word 2007 Service Pack 3
- Microsoft Word 2010 Service Pack 2 (32-bit editions)
- Microsoft Word 2010 Service Pack 2 (64-bit editions)
- Microsoft Word 2013 RT Service Pack 1
- Microsoft Word 2013 Service Pack 1 (32-bit editions)
- Microsoft Word 2013 Service Pack 1 (64-bit editions)
- Microsoft Word 2016 (32-bit edition)
- Microsoft Word 2016 (64-bit edition)
- Word Automation Services
About the vulnerability
This is a type-confusion vulnerability in Microsoft Word which allows attackers to perform a Remote Code Execution on targeted machines. After successful exploitation, attackers can take control of the vulnerable systems and download and execute programs on them.
Reportedly, the vulnerability is currently being exploited in the wild through a malicious RTF document. This RTF file is an initial attack vector that makes a request to a CNC server to download and execute the malware.
According to a VirusTotal report, Quick Heal products successfully detected the exploit with one of its generic detections – ‘Exp.Shell.Gen.Q’.
Quick Heal detections
Quick Heal has released the following detection for the vulnerability CVE-2017-11826:
The additional detection ‘Exp.OLE.CVE-2017-11826’ will be available to Quick Heal users in the next update.
Indicators of compromise
Subject Matter Experts
• Pradeep Kulkarni, Pavankumar Chaudhari | Quick Heal Security Labs