APT Groups Exploiting Known Vulnerability In Microsoft Office & WordPad

A known vulnerability which exists in Microsoft Office and WordPad is currently being targeted by attackers despite Microsoft issuing a patch for this back in April 2017. The vulnerability is CVE-2017-0199 and is a logic bug.

This vulnerability continues to be exploited due to the large amount of unpatched software still in use. Successful exploitation of this vulnerability will allow an attacker to remotely execute code and escalate privileges on the compromised system.

Attackers are using phishing emails to spread Microsoft Office Rich Text Format (RTF) documents containing the malicious payload. Once the user opens the attached Word document, an HTTP request is issued to a remote server to retrieve a malicious HTML Application (HTA). Once the payload is downloaded, the malicious script displays decoy documents to the user in order to hide the malicious activity from the user.

Anti-virus signature scans should pick up this malware and block it. However, it’s not unusual for attackers to modify the signature to avoid detection. Users and administrators are urged to apply the patch from Microsoft as soon as possible.




Affected Platforms:

Microsoft Windows – all versions

Resolution:

Regular patching of systems with the latest security updates. Microsoft has already addressed this vulnerability back in April.

Ensure staff awareness of phishing attacks. Awareness campaigns should be provided and regularly refreshed to keep employees apprised of the latest phishing techniques.

Download the updates to fix this issue here