<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=885880844953016&amp;ev=PageView&amp;noscript=1">

Threat Alert: Memory Corruption Vulnerability CVE-2017-11826

Posted by Morphisec Team on December 13, 2017 at 2:45 PM
Morphisec Team
Find me on:


Two days ago, researchers at TarLogic published a proof-of-concept APT that leverages CVE-2017-11826, a Microsoft Office 0-day vulnerability existing in all Office versions.  Microsoft issued a patch for the vulnerability in October, however many systems still remain at risk.

The proof-of-concept, together with publicly available malware samples, now allows cybercriminals to generate a Microsoft Office document containing the exploit, which works for all Office versions, including Office 2016 and Sharepoint Server.


In September, researchers at Qihoo 360 detected an attack leveraging a new 0-day via a malicious RTF attachment and disclosed the vulnerability to Microsoft. Microsoft issued the patch about a week later and Qihoo reported it in their blog on October 11. The Qihoo analysis dates attack initiation to August.

Why Does it Matter?

There are inevitably delays between a patch release and its application by organizations. Attackers stand ready to exploit unpatched systems. There has been at least one additional attack in the wild using the CVE-2017-11826 vulnerability, a politically themed campaign reported by Fortiguard Labs. This readily available APT will soon be part of the hacker tool kit if it isn’t already.

How it Works

Victims use a Microsoft Office application (Word) to open a malicious file delivered either as an email attachment or via a malicious website serving the content.  Once in, the vulnerability allows an attacker to run arbitrary code to take full control of the victim’s machine. If the attacker gains admin rights – something easy to do – an attacker could take control and then install programs; view, change, or delete data; or create new accounts with full user rights.

Morphisec Users Protected From Day 0

Other security vendors issued updates once the vulnerability was disclosed, leaving organizations vulnerable until the update was available or they patched their systems. With Morphisec, the vulnerability was essentially never a vulnerability. Morphisec customers are protected against such attacks right out of the box, without any need for an update.  Any attack attempting to exploit the vulnerability, including the proof-of-concept APT published by TarLogic, will always fail as the exploit cannot utilize the vulnerability to execute arbitrary code.

New Call-to-action

Topics: APT, Cyber Attacks, Zero-day, 0-day exploits, Endpoint Security, Threat Alerts

Welcome to our Blog

Keeping you in the loop with company updates, industry insight, cyber security trends, and cyber attack information.

Subscribe to the blog

Morphisec Named a Cool Vendor 2016

Morphisec is a Gartner Cool Vendor 2016

Each year Gartner identifies new Cool Vendors it considers innovative or transformative. Morphisec is honored be to named a Cool Vendor 2016. Here's more....


Recent Posts

Most Popular Posts