External risk intelligence

Microsoft Office Code Execution Vulnerability Advisory.

CVE advisoryKnown Exploit

CVE-2017-11882

A memory corruption vulnerability in Microsoft Office allows attackers to execute arbitrary code in the context of the current user. This poses a significant risk to organizations, potentially leading to unauthorized system access and data compromise. Prompt application of vendor updates is recommended.

1Halo Surface Signal

Memory Corruption

Microsoft Office

2007201020132016

External exposure likelihood

Halo Surface Signal score for CVE-2017-11882

This vulnerability affects Microsoft Office, which is a desktop-based productivity application. It requires the user to open a malicious file locally. It is not a network service, gateway, or internet-facing appliance, and it lacks the characteristics of an externally reachable attack surface.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects Microsoft Office applications. A flaw in how the software handles certain objects in memory can be exploited. This could allow an attacker to run unauthorized code on a user's system.

Vulnerable component: Microsoft Office
Core weakness: Memory object handling failure
Main business impact: Unauthorized code execution

Attack Path

How an attacker could exploit the issue

An attacker could exploit a memory corruption vulnerability in Microsoft Office applications. This occurs when the application improperly handles specific objects in memory. An attacker could then execute arbitrary code within the user's current session.

An email or document is opened.
Attacker inserts malicious code.
Code runs with user privileges.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability involves Microsoft Office's handling of memory objects, allowing an attacker to execute arbitrary code. Exploitation typically requires a user to open a specially crafted file, leading to code execution within the user's current context. Organizations should prioritize addressing this vulnerability due to the potential for significant business risk.

Low attacker skill level required.
User must open a malicious file.
High business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An organization should take immediate action to address a memory corruption vulnerability in Microsoft Office. This vulnerability could allow an attacker to execute arbitrary code on a user's system by tricking them into opening a malicious file. The potential impact includes unauthorized access and control of affected systems, compromising sensitive data and disrupting business operations. The known exploitation of this vulnerability poses a significant risk that warrants prompt mitigation.

Find all Microsoft Office installations.
Restrict file handling and user actions.
Apply vendor updates and confirm remediation.
Monitor for suspicious activity.

Frequently asked questions

What is Microsoft Office, and what is it used for?

Microsoft Office is a suite of productivity applications widely used for tasks like document creation, data analysis, and presentations. It includes programs such as Word for word processing, Excel for spreadsheets, and PowerPoint for slideshows. It's a core tool for many businesses and individuals.

What is the weakness in CVE-2017-11882?

CVE-2017-11882 is a memory corruption vulnerability. This means the software doesn't handle certain data in memory correctly, which can be exploited to execute unintended code.

How could an attacker exploit CVE-2017-11882?

An attacker could exploit this by tricking a user into opening a specially crafted file. The vulnerability is not triggered if a user does not open such a file.

Who should be concerned about CVE-2017-11882?

Anyone using the specified versions of Microsoft Office should be concerned. While this vulnerability is classified as internal, meaning it doesn't directly affect internet-facing systems, a user opening a malicious file on their computer can still lead to a compromise.

What is the first step to respond to this threat?

The primary first step is to identify all installations of the affected Microsoft Office versions within your environment. Subsequently, applying vendor-provided updates is crucial for remediation.

References

Cyber Threat Intelligence (CTI)

Sources: malpedia, threatActor

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.