The recent zero-day vulnerability in Microsoft Office vulnerability CVE-2017-11826 enables attackers to perform a Remote Code Execution on targeted machines. According to a recently published blog post, this vulnerability is being exploited in the wild. Microsoft has released a security update on October 10, 2017, to fix this issue.
The following versions of Microsoft products are affected by this vulnerability:
About the vulnerability
This is a type-confusion vulnerability in Microsoft Word which allows attackers to perform a Remote Code Execution on targeted machines. After successful exploitation, attackers can take control of the vulnerable systems and download and execute programs on them.
Reportedly, the vulnerability is currently being exploited in the wild through a malicious RTF document. This RTF file is an initial attack vector that makes a request to a CNC server to download and execute the malware.
According to a VirusTotal report, Quick Heal products successfully detected the exploit with one of its generic detections – ‘Exp.Shell.Gen.Q’.
Quick Heal detections
Quick Heal has released the following detection for the vulnerability CVE-2017-11826:
The additional detection ‘Exp.OLE.CVE-2017-11826’ will be available to Quick Heal users in the next update.
Indicators of compromise
Subject Matter Experts
• Pradeep Kulkarni, Pavankumar Chaudhari | Quick Heal Security Labs