Two days ago, researchers at TarLogic published a proof-of-concept APT that leverages CVE-2017-11826, a Microsoft Office 0-day vulnerability existing in all Office versions. Microsoft issued a patch for the vulnerability in October, however many systems still remain at risk.
The proof-of-concept, together with publicly available malware samples, now allows cybercriminals to generate a Microsoft Office document containing the exploit, which works for all Office versions, including Office 2016 and Sharepoint Server.
In September, researchers at Qihoo 360 detected an attack leveraging a new 0-day via a malicious RTF attachment and disclosed the vulnerability to Microsoft. Microsoft issued the patch about a week later and Qihoo reported it in their blog on October 11. The Qihoo analysis dates attack initiation to August.
There are inevitably delays between a patch release and its application by organizations. Attackers stand ready to exploit unpatched systems. There has been at least one additional attack in the wild using the CVE-2017-11826 vulnerability, a politically themed campaign reported by Fortiguard Labs. This readily available APT will soon be part of the hacker tool kit if it isn’t already.
Victims use a Microsoft Office application (Word) to open a malicious file delivered either as an email attachment or via a malicious website serving the content. Once in, the vulnerability allows an attacker to run arbitrary code to take full control of the victim’s machine. If the attacker gains admin rights – something easy to do – an attacker could take control and then install programs; view, change, or delete data; or create new accounts with full user rights.
Other security vendors issued updates once the vulnerability was disclosed, leaving organizations vulnerable until the update was available or they patched their systems. With Morphisec, the vulnerability was essentially never a vulnerability. Morphisec customers are protected against such attacks right out of the box, without any need for an update. Any attack attempting to exploit the vulnerability, including the proof-of-concept APT published by TarLogic, will always fail as the exploit cannot utilize the vulnerability to execute arbitrary code.