Skip to main content

APT Groups Exploiting Known Vulnerability in Microsoft Office

A known vulnerability which exists in Microsoft Office and WordPad is currently being targeted by attackers despite Microsoft issuing a patch for this back in April 2017. The vulnerability is CVE-2017-0199 and is a logic bug.
Threat ID:
CC-1626
Category:
Exploit
Threat Severity:
Medium
Threat Vector:
Phishing
Published:
6 September 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A known vulnerability which exists in Microsoft Office and WordPad is currently being targeted by attackers despite Microsoft issuing a patch for this back in April 2017. The vulnerability is CVE-2017-0199 and is a logic bug.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - all versions

Threat details

This vulnerability continues to be exploited due to the large amount of unpatched software still in use. A successful exploit of this vulnerability will allow an attacker to remotely execute code and escalate privileges on the compromised system.

Attackers are using phishing emails to spread Microsoft Office Rich Text Format (RTF) documents containing the malicious payload. Once the user opens the attached Word document, a HTTP request is issued to a remote server to retrieve a malicious HTML Application (HTA). Once the payload is downloaded, the malicious script displays decoy documents to the user in order to hide the malicious activity from the user.

Anti-virus signature scans should pick up this malware and block it. However, it’s not unusual for attackers to modify the signature to avoid detection. Users and administrators are urged to apply the patch from Microsoft as soon as possible.

Remediation steps

Type Step
  • Regular patching of systems with the latest security updates. Microsoft has already addressed this vulnerability back in April.
  • Ensure staff awareness of phishing attacks. Awareness campaigns should be provided and regularly refreshed to keep employees apprised of the latest phishing techniques.

CVE Vulnerabilities

Status

CVE-2017-0199

Last edited: 17 February 2020 11:27 am