Threat Alert: Memory Corruption Vulnerability CVE-2017-11826

Posted by Morphisec Team on Dec 13, 2017 9:45:10 PM
Morphisec Team
Find me on:


Two days ago, researchers at TarLogic published a proof-of-concept APT that leverages CVE-2017-11826, a Microsoft Office 0-day vulnerability existing in all Office versions.  Microsoft issued a patch for the vulnerability in October, however many systems still remain at risk.

The proof-of-concept, together with publicly available malware samples, now allows cybercriminals to generate a Microsoft Office document containing the exploit, which works for all Office versions, including Office 2016 and Sharepoint Server.


In September, researchers at Qihoo 360 detected an attack leveraging a new 0-day via a malicious RTF attachment and disclosed the vulnerability to Microsoft. Microsoft issued the patch about a week later and Qihoo reported it in their blog on October 11. The Qihoo analysis dates attack initiation to August.

Why Does it Matter?

There are inevitably delays between a patch release and its application by organizations. Attackers stand ready to exploit unpatched systems. There has been at least one additional attack in the wild using the CVE-2017-11826 vulnerability, a politically themed campaign reported by Fortiguard Labs. This readily available APT will soon be part of the hacker tool kit if it isn’t already.

How it Works

Victims use a Microsoft Office application (Word) to open a malicious file delivered either as an email attachment or via a malicious website serving the content.  Once in, the vulnerability allows an attacker to run arbitrary code to take full control of the victim’s machine. If the attacker gains admin rights – something easy to do – an attacker could take control and then install programs; view, change, or delete data; or create new accounts with full user rights.

Morphisec Users Protected From Day 0

Other security vendors issued updates once the vulnerability was disclosed, leaving organizations vulnerable until the update was available or they patched their systems. With Morphisec, the vulnerability was essentially never a vulnerability. Morphisec customers are protected against such attacks right out of the box, without any need for an update.  Any attack attempting to exploit the vulnerability, including the proof-of-concept APT published by TarLogic, will always fail as the exploit cannot utilize the vulnerability to execute arbitrary code.

New Call-to-action

Topics: Cyber Attacks, 0-day exploits, Zero-day, Endpoint Security, APT

Welcome to our Blog

Keeping you in the loop with company updates, industry insight, cyber security trends, and cyber attack information.

Subscribe to the blog

Morphisec Named a Cool Vendor 2016

Morphisec is a Gartner Cool Vendor 2016

Each year Gartner identifies new Cool Vendors it considers innovative or transformative. Morphisec is honored be to named a Cool Vendor 2016. Here's more....


Recent Posts

Most Popular Posts