Home  /  MalwareSecurity  /  CVE-2017-11826 – Microsoft Office Memory Corruption Vulnerability – Alert!
CVE-2017-11826 – Microsoft Office Memory Corruption Vulnerability – Alert!

CVE-2017-11826 – Microsoft Office Memory Corruption Vulnerability – Alert!

Written by Pradeep Kulkarni
Pradeep Kulkarni
Malware, Security

The recent zero-day vulnerability in Microsoft Office vulnerability CVE-2017-11826 enables attackers to perform a Remote Code Execution on targeted machines. According to a recently published blog post, this vulnerability is being exploited in the wild. Microsoft has released a security update on October 10, 2017, to fix this issue.

Vulnerable versions

The following versions of Microsoft products are affected by this vulnerability:

  • Microsoft Office Compatibility Pack Service Pack 3
  • Microsoft Office Online Server 2016
  • Microsoft Office Web Apps Server 2010 Service Pack 2
  • Microsoft Office Web Apps Server 2013 Service Pack 1
  • Microsoft Office Word Viewer
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft Word 2007 Service Pack 3
  • Microsoft Word 2010 Service Pack 2 (32-bit editions)
  • Microsoft Word 2010 Service Pack 2 (64-bit editions)
  • Microsoft Word 2013 RT Service Pack 1
  • Microsoft Word 2013 Service Pack 1 (32-bit editions)
  • Microsoft Word 2013 Service Pack 1 (64-bit editions)
  • Microsoft Word 2016 (32-bit edition)
  • Microsoft Word 2016 (64-bit edition)
  • Word Automation Services

 About the vulnerability

This is a type-confusion vulnerability in Microsoft Word which allows attackers to perform a Remote Code Execution on targeted machines. After successful exploitation, attackers can take control of the vulnerable systems and download and execute programs on them.

Reportedly, the vulnerability is currently being exploited in the wild through a malicious RTF document. This RTF file is an initial attack vector that makes a request to a CNC server to download and execute the malware.

According to a VirusTotal reportSeqrite products successfully detected the exploit with one of its generic detections – ‘Exp.Shell.Gen.Q’.

Seqrite detections

Seqrite has released the following detection for the vulnerability CVE-2017-11826:

  • Exp.OLE.CVE-2017-11826
  • Exp.Shell.Gen.Q

The additional detection ‘Exp.OLE.CVE-2017-11826’ will be available to Seqrite users in the next update.

Indicators of compromise

b2ae500b7376044ae92976d9e4b65af8

Subject Matter Experts

• Pradeep Kulkarni, Pavankumar Chaudhari Quick Heal Security Labs

Pradeep Kulkarni

About Pradeep Kulkarni

Pradeep Kulkarni is leading the IPS team in Quick Heal Technologies Limited. Having worked in the IT security industry for over 11 years, he has worked on various...

Articles by Pradeep Kulkarni »

Related Posts