CVE-2016-7193
published 2016-10-14CVE-2016-7193: Microsoft Word 2007 SP2, Office 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word 2016, Word for Mac 2011, Word 2016 for Mac, Office Compatibility Pack SP3, Word…
PriorityP182high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
57.70%
99.0th percentile
Microsoft Word 2007 SP2, Office 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word 2016, Word for Mac 2011, Word 2016 for Mac, Office Compatibility Pack SP3, Word Viewer, Word Automation Services on SharePoint Server 2010 SP2, Word Automation Services on SharePoint Server 2013 SP1, Office Web Apps 2010 SP2, Office Web Apps Server 2013 SP1, and Office Online Server allow remote attackers to execute arbitrary code via a crafted RTF document, aka "Microsoft Office Memory Corruption Vulnerability."
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | word | — | — |
| microsoft | word | — | — |
| microsoft | word | — | — |
| microsoft | word | — | — |
| msrc | microsoft_office_2010_service_pack_2 | — | — |
| msrc | microsoft_office_compatibility_pack_service_pack_3 | — | — |
| msrc | microsoft_office_online_server_2016 | — | — |
| msrc | microsoft_office_web_apps_2010_service_pack_2 | — | — |
| msrc | microsoft_office_web_apps_server_2013_service_pack_1 | — | — |
| msrc | microsoft_office_word_viewer | — | — |
| msrc | microsoft_word_2007_service_pack_3 | — | — |
| msrc | microsoft_word_2010_service_pack_2 | — | — |
| msrc | microsoft_word_2013_rt_service_pack_1 | — | — |
| msrc | microsoft_word_2013_service_pack_1 | — | — |
| msrc | microsoft_word_2016 | — | — |
| msrc | microsoft_word_2016_for_mac | — | — |
| msrc | microsoft_word_for_mac_2011 | — | — |
| msrc | word_automation_services_on_microsoft_sharepoint_server_2010_service_pack_2 | — | — |
| msrc | word_automation_services_on_microsoft_sharepoint_server_2013_service_pack_1 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Malicious RTF samples insert 0x0d (carriage return) bytes within hexadecimal OLE data in the {\objdata} block to evade parsers. Scanners should strip non-ASCII bytes before parsing hex streams in RTF objdata. ↗
- →Malicious RTF samples insert ignored ASCII characters such as '.}' and '}' within the OLE data stream to cause third-party parsers to truncate the OLE prematurely, evading detection. Validate RTF parsers handle these characters correctly. ↗
- →Presence of ActiveX classid 1EFB6596-857C-11D1-B16A-00C0F0283628 (MSCOMCTL TabStrip) in OOXML ActiveX XML files embedded within an RTF-delivered OLE object is a strong indicator of CVE-2016-7193 exploitation. ↗
- →Dropped payload path %APPDATA%\7B4331\1C8BBC.exe is a specific Loki Bot dropper artifact from this campaign; monitor for file creation at this path. ↗
- →Network connections to paneltestghelp.xyz on port 80 at path /eval/server/readonly/fre.php indicate active Loki Bot C2 communication from a successfully exploited host. ↗
- ·The ROP chain addresses (e.g. 0x7c3651eb, 0x7c372b02, etc.) are specific to a particular version of a Windows DLL loaded at a fixed base address. These addresses will differ across OS/patch levels and are not universally applicable for detection. ↗
- ·The initial VirusTotal detection rate for the malicious RTF was only 3 out of 45 engines, meaning most AV/security products at time of discovery failed to detect the exploit due to RTF malformations. Signature-only defenses may be insufficient. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Office Memory Corruption Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2016-7193 [HIGH] CWE-119 Microsoft Office Memory Corruption Vulnerability
Vulnerability: Microsoft Office Memory Corruption Vulnerability
Affected: Microsoft Office
Microsoft Office contains a memory corruption vulnerability which can allow for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2016-7193
Remediation Due Date: 2022-03-24
Microsoft
Microsoft Office Memory Corruption Vulnerability
vendor_msrc·2016-10-11·CVSS 7.8
CVE-2016-7193 [HIGH] Microsoft Office Memory Corruption Vulnerability
Microsoft Office Memory Corruption Vulnerability
Description: An Office RTF remote code execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle RTF files. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Exploitation of the vulnerability requires that a user open a specially crafted
GHSA
GHSA-c4q8-jg8m-p6pw: Microsoft Word 2007 SP2, Office 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word 2016, Word for Mac 2011, Word 2016 for Mac, Office Compatibility Pack
ghsa_unreviewed·2022-05-14
CVE-2016-7193 [HIGH] CWE-119 GHSA-c4q8-jg8m-p6pw: Microsoft Word 2007 SP2, Office 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word 2016, Word for Mac 2011, Word 2016 for Mac, Office Compatibility Pack
Microsoft Word 2007 SP2, Office 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word 2016, Word for Mac 2011, Word 2016 for Mac, Office Compatibility Pack SP3, Word Viewer, Word Automation Services on SharePoint Server 2010 SP2, Word Automation Services on SharePoint Server 2013 SP1, Office Web Apps 2010 SP2, Office Web Apps Server 2013 SP1, and Office Online Server allow remote attackers to execute arbitrary code via a crafted RTF document, aka "Microsoft Office Memory Corruption Vulnerability."
VulnCheck
Microsoft Office Memory Corruption Vulnerability
vulncheck·2016·CVSS 7.8
CVE-2016-7193 [HIGH] CWE-119 Microsoft Office Memory Corruption Vulnerability
Microsoft Office Memory Corruption Vulnerability
Microsoft Office contains a memory corruption vulnerability which can allow for remote code execution.
Affected: Microsoft Office
Required Action: Apply updates per vendor instructions.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2016-Oct; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-03-24
No detection rules found.
No public exploits indexed.
Talos
How Malformed RTF Defeats Security Engines
blogs_talos·2017-03-23·CVSS 7.8
CVE-2016-7193 [HIGH] How Malformed RTF Defeats Security Engines
This post is authored by Paul Rascagneres with contributions from Alex McDonnell
### Executive SummaryTalos has discovered a new spam campaign used to infect targets with the well known Loki Bot stealer. The infection vector is an RTF document abusing an old exploit (CVE-2016-7193), however the most interesting part is the effort put into the generation of the RTF. The document contains several malformations designed to defeat security engines and parsers. The attacker has gone out of their way to attempt to evade content inspection devices like AV or network security devices. According to VirusTotal, the initial detection rate of a malicious RTF document recovered from a recent spam campaign is only 3 out of 45 available engines.
Despite the known vulnerability, many security products f
Talos
How Malformed RTF Defeats Security Engines
blogs_talos·2017-03-23·CVSS 7.8
CVE-2016-7193 [HIGH] How Malformed RTF Defeats Security Engines
## How Malformed RTF Defeats Security Engines
This post is authored by Paul Rascagneres with contributions from Alex McDonnell
## Executive Summary Talos has discovered a new spam campaign used to infect targets with the well known Loki Bot stealer. The infection vector is an RTF document abusing an old exploit (CVE-2016-7193), however the most interesting part is the effort put into the generation of the RTF. The document contains several malformations designed to defeat security engines and parsers. The attacker has gone out of their way to attempt to evade content inspection devices like AV or network security devices. According to VirusTotal, the initial detection rate of a malicious RTF document recovered from a recent spam campaign is only 3 out of 45 available engines.
Despite th
Talos
Microsoft Patch Tuesday - October 2016
blogs_talos·2016-10-11·CVSS 5.5
[MEDIUM] Microsoft Patch Tuesday - October 2016
Patch Tuesday has once again arrived! Microsoft's monthly release of security bulletins to address vulnerabilities provides fixes for 37 newly disclosed security flaws. Today's release sees a total of 10 bulletins with five of the bulletins rated critical and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Video Control, and Adobe Flash Player. Four bulletins are rated important and address flaws in Office, Windows Diagnostic Hub, Windows Kernel-Mode Drivers, and Windows Registry. One bulletin is rated moderate and addresses a flaw in Microsoft Internet Messaging API.
## Bulletins Rated Critical The following bulletins are rated critical: MS16-118, MS16-119, MS16-120, MS16-122, MS16-127
MS16-118 and MS16-119 are this month's bulletins for Internet Explorer and Edg
Talos
Microsoft Patch Tuesday - October 2016
blogs_talos·2016-10-11·CVSS 5.5
[MEDIUM] Microsoft Patch Tuesday - October 2016
## Microsoft Patch Tuesday - October 2016
Patch Tuesday has once again arrived! Microsoft's monthly release of security bulletins to address vulnerabilities provides fixes for 37 newly disclosed security flaws. Today's release sees a total of 10 bulletins with five of the bulletins rated critical and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Video Control, and Adobe Flash Player. Four bulletins are rated important and address flaws in Office, Windows Diagnostic Hub, Windows Kernel-Mode Drivers, and Windows Registry. One bulletin is rated moderate and addresses a flaw in Microsoft Internet Messaging API.
## Bulletins Rated Critical The following bulletins are rated critical: MS16-118, MS16-119, MS16-120, MS16-122, MS16-127
MS16-118 and MS16-119 are this mont
Zscaler
Zscaler found Multiple Security Vulnerabilities | 11-10-2016
blogs_zscaler
Zscaler found Multiple Security Vulnerabilities | 11-10-2016
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://www.securityfocus.com/bid/93372http://www.securitytracker.com/id/1036984https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-121http://www.securityfocus.com/bid/93372http://www.securitytracker.com/id/1036984https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-121https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-7193
2016-10-14
Published
2022-03-03
Added to CISA KEV
Exploited in the wild