Recent Webinar: Building an Adaptive Cyber Resilient Cloud
arrow-white arrow-white Watch now
close

Threat Alert: Memory Corruption Vulnerability CVE-2017-11826

Posted by Morphisec Labs on December 13, 2017

cyber-threat-prplstamp-173977816.jpg

Two days ago, researchers at TarLogic published a proof-of-concept APT that leverages CVE-2017-11826, a Microsoft Office 0-day vulnerability existing in all Office versions.  Microsoft issued a patch for the vulnerability in October, however many systems still remain at risk.

The proof-of-concept, together with publicly available malware samples, now allows cybercriminals to generate a Microsoft Office document containing the exploit, which works for all Office versions, including Office 2016 and Sharepoint Server.

CyberAttack Background

In September, researchers at Qihoo 360 detected an attack leveraging a new 0-day via a malicious RTF attachment and disclosed the vulnerability to Microsoft. Microsoft issued the patch about a week later and Qihoo reported it in their blog on October 11. The Qihoo analysis dates attack initiation to August.

Why Does it Matter?

There are inevitably delays between a patch release and its application by organizations. Attackers stand ready to exploit unpatched systems. There has been at least one additional attack in the wild using the CVE-2017-11826 vulnerability, a politically themed campaign reported by Fortiguard Labs. This readily available APT will soon be part of the hacker tool kit if it isn’t already.

How it Works

Victims use a Microsoft Office application (Word) to open a malicious file delivered either as an email attachment or via a malicious website serving the content.  Once in, the vulnerability allows an attacker to run arbitrary code to take full control of the victim’s machine. If the attacker gains admin rights – something easy to do – an attacker could take control and then install programs; view, change, or delete data; or create new accounts with full user rights.

Morphisec Users Protected From Day 0

Other security vendors issued updates once the vulnerability was disclosed, leaving organizations vulnerable until the update was available or they patched their systems. With Morphisec, the vulnerability was essentially never a vulnerability. Morphisec customers are protected against such attacks right out of the box, without any need for an update.  Any attack attempting to exploit the vulnerability, including the proof-of-concept APT published by TarLogic, will always fail as the exploit cannot utilize the vulnerability to execute arbitrary code.

New Call-to-action