Public exploit for CVE-2017-0199

There is a public exploit for CVE-2017-0199 which leverage Microsoft Office vulnerability which need to be on priority on patching. Hacker can create a crafted Exploit in form of a document using Metasploit and send it as an email or using the Watering hole attack technique to infect the remote victim user. Hackers used this vulnerability to breach the email account of the minitry of Foreing Affairs in the Turkish Republic of Northern Cyprus. The compromised account was used to send out a weaponized document to foreign affairs ministries in various countries around the world. Vulnerability Details: This module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a olelink object can make a http(s) request, and execute hta code in response. This bug was originally seen being exploited in the wild starting in Oct 2016. This module was created by reversing a public malware sample. Microsoft has issued Security Patch Advisory on April. Please kindly check if the bellow affected products are existed in your environment and expedite patching this vulnerability as soon as possible. Note: For critical systems perform testing and validation and for non-critical systems role out the patch please. Affected Products:

  • Microsoft Office 2007 Service Pack 3
  • Microsoft Office 2010 Service Pack 2 (32-bit editions)
  • Microsoft Office 2010 Service Pack 2 (64-bit editions)
  • Microsoft Office 2013 Service Pack 1 (32-bit editions)
  • Microsoft Office 2013 Service Pack 1 (64-bit editions)
  • Microsoft Office 2016 (32-bit edition) Microsoft Office 2016 (64-bit edition) References:
  • 1. http://www.securityweek.com/iranian-copykittens-conduct-foreign-espionage 2. https://www.rapid7.com/db/modules/exploit/windows/fileformat/office_word_hta

    3. https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html

    Advertisements