Thursday, January 30, 2025
HomeCVE/vulnerabilityAll Versions of MS Office Affected with Critical Zero-day Vulnerability Allows Attackers...

All Versions of MS Office Affected with Critical Zero-day Vulnerability Allows Attackers Take Full Control of your System

Published on

SIEM as a Service

Follow Us on Google News

A Critical MS Office Zero-day Remote Code Execution Vulnerability discovered in Microsoft Office that could allow attacker to take complete control of infected Windows Operating System and this vulnerability has been affected with all version of Microsoft Office.

This Zero-day vulnerability discovered in Office Open XML parser where Microsoft Office software fails to properly handle objects in memory.

Using this flow attacker could take full control of victims machine by run arbitrary code in the MS Office installed windows machine.

If the targetted machine running in administrative mode then attackers could take complete control and then install programs; view, change, or delete data; or create new accounts with full user rights.

sadly, this flow has presented in all the Microsoft office version which is running on all the different versions of Microsoft operating system.

Also Read : Hackers Can Steal Your Windows Login Credential Without User Interaction using New Windows OS Flow

How does This MS Office Zero-day Affected

Initially, Exploit this MS Office Zero-day vulnerability attack will send the malicious file with an affected version of Microsoft Office into victims.

An attacker can send the malicious exploitation file via mail to the user and convince the user to open the file. In this case, the attacker can’t force the user to open the file so that attacker Some Traditional social engineering method to convincing the user.

An Example Scenario, we have an Exploit RTF document containing a DOCX document that exploits this Zero-day Vulnerability within the Office Open XML parser.

This Exploit itself Contains word/document.xml  with valid ‘font’ element in the body of the Exploit.

In this case according to  ECMA-376 standard for Office Open XML File Formats valid ‘font’ element describing the fonts used in the document must look like this:

According to Kaspersky researchers, Exploit document failed to Close the tag </w:font> .  The opening tag <w:font> is followed by the object element <o:idmap/> which cause ‘type confusion’ in the OOXML parser. Any object element can be used to successfully exploit this vulnerability.

Also attacker will apply the popular heap spraying ( heap spraying is a technique used in exploits to facilitate arbitrary code execution) technique with use of ActiveX components to control memory address.

According to Microsoft, The security update addresses the vulnerability by correcting how Microsoft Office handles objects in memory. and assign the  CVE-2017-11826  for this MS Office Zero-day vulnerability .

This Flow patched by Microsoft and release the latest Patch update on Tuesday (17 October 2017) along with  62 vulnerabilities Patch.

Some of Major Affected Product

  • Microsoft Office Compatibility Pack Service Pack 3
  • Microsoft Office Online Server 2016
  • Microsoft Office Web Apps Server 2010 Service Pack 2
  • Microsoft Office Web Apps Server 2013 Service Pack 1
  • Microsoft Office Word Viewer
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft Word 2007 Service Pack 3
  • Microsoft Word 2010 Service Pack 2 (32-bit editions)
  • Microsoft Word 2010 Service Pack 2 (64-bit editions)
  • Microsoft Word 2013 RT Service Pack 1
  • Microsoft Word 2013 Service Pack 1 (32-bit editions)
  • Microsoft Word 2013 Service Pack 1 (64-bit editions)
  • Microsoft Word 2016 (32-bit edition)
  • Microsoft Word 2016 (64-bit edition)
  • Word Automation Services
  • Word Automation Services

Exploit for CVE-2017-11826 

  • MSWord.Agent.ix;
  • MSOffice.CVE-2017-11826.a;
  • HEUR:Exploit.MSOffice.Generic.

IOC Hash – SHA 1

cb3429e608144909ef25df2605c24ec253b10b6e99cbb6657afa6b92e9f32fb5

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Cybercriminals Hijack Government Sites to Lauch Phishing Attacks

Cybersecurity researchers have identified a persistent trend in which threat actors exploit vulnerabilities in...

Hackers Can Exploit AI Platform to Achieve Root Access via RCE Vulnerability

In a critical development within the AI industry, researchers at Noma Security have disclosed...

10,000 WordPress Websites Hacked to Distributing MacOS and Microsoft Malware

Over 10,000 WordPress websites have been hijacked to deliver malicious software targeting both macOS...

New RDP Exploit Allows Attackers to Take Over Windows and Browser Sessions

Cybersecurity experts have uncovered a new exploit leveraging the widely used Remote Desktop Protocol...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Windows CLFS Buffer Overflow Vulnerability CVE-2024-49138 – PoC Released

 A recently disclosed Windows kernel-level vulnerability, identified as CVE-2024-49138, has raised significant security concerns in...

Zyxel CPE Zero-Day (CVE-2024-40891) Exploited in the Wild

Security researchers have raised alarms about active exploitation attempts targeting a newly discovered zero-day...

Windows 11 24H2 Update Bug: Users Report Disruptions in Web Camera and USB Devices

Windows 11 KB5050009 for version 24H2 has sparked widespread frustrations among users due to...