<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=885880844953016&amp;ev=PageView&amp;noscript=1">

Threat Alert: Memory Corruption Vulnerability CVE-2017-11826

Posted by Morphisec Team on December 13, 2017
Find me on:


Two days ago, researchers at TarLogic published a proof-of-concept APT that leverages CVE-2017-11826, a Microsoft Office 0-day vulnerability existing in all Office versions.  Microsoft issued a patch for the vulnerability in October, however many systems still remain at risk.

The proof-of-concept, together with publicly available malware samples, now allows cybercriminals to generate a Microsoft Office document containing the exploit, which works for all Office versions, including Office 2016 and Sharepoint Server.


In September, researchers at Qihoo 360 detected an attack leveraging a new 0-day via a malicious RTF attachment and disclosed the vulnerability to Microsoft. Microsoft issued the patch about a week later and Qihoo reported it in their blog on October 11. The Qihoo analysis dates attack initiation to August.

Why Does it Matter?

There are inevitably delays between a patch release and its application by organizations. Attackers stand ready to exploit unpatched systems. There has been at least one additional attack in the wild using the CVE-2017-11826 vulnerability, a politically themed campaign reported by Fortiguard Labs. This readily available APT will soon be part of the hacker tool kit if it isn’t already.

How it Works

Victims use a Microsoft Office application (Word) to open a malicious file delivered either as an email attachment or via a malicious website serving the content.  Once in, the vulnerability allows an attacker to run arbitrary code to take full control of the victim’s machine. If the attacker gains admin rights – something easy to do – an attacker could take control and then install programs; view, change, or delete data; or create new accounts with full user rights.

Morphisec Users Protected From Day 0

Other security vendors issued updates once the vulnerability was disclosed, leaving organizations vulnerable until the update was available or they patched their systems. With Morphisec, the vulnerability was essentially never a vulnerability. Morphisec customers are protected against such attacks right out of the box, without any need for an update.  Any attack attempting to exploit the vulnerability, including the proof-of-concept APT published by TarLogic, will always fail as the exploit cannot utilize the vulnerability to execute arbitrary code.

New Call-to-action

Subscribe to our blog

Stay in the loop with industry insight, cyber security trends, and cyber attack information and company updates.

Search Our Site

    Recent Posts

    Posts by Tag

    See all