cbcvebase.
CVE-2017-0199
published 2017-04-12

CVE-2017-0199: Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2…

PriorityP195high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.93%
100.0th percentile
Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."

Affected

18 ranges
VendorProductVersion rangeFixed in
microsoftoffice
microsoftoffice
microsoftoffice
microsoftoffice
microsoftwindows_server_2008
microsoft_corporationoffice_wordpad
msrcmicrosoft_office_2007_service_pack_3
msrcmicrosoft_office_2010_service_pack_2
msrcmicrosoft_office_2013_service_pack_1
msrcmicrosoft_office_2016
msrcwindows_7
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2
philipsintellispace_portal
philipsintellispace_portal

Detection & IOCsextracted from sources · hover to see the quote

filenametransferencia_swift_87647574684.xla
hashcf193637626e85b34a7ccaed9e4459b75605af46cedc95325583b879990e0e61
domaindoc.internetdocss[.]com
filenamenethelpx86.dll
  • CVE-2017-0199 exploitation begins with an OLE-format Excel/Office document containing an embedded OLE hyperlink that auto-opens to download a remote RTF document; detect documents with embedded OLE hyperlinks that auto-execute on open.
  • The RTF exploit uses the \objupdate control word to force the embedded OLE object to execute before display, without requiring user interaction with the object. Scan RTF files for \objupdate combined with Equation Editor OLE objects.
  • The embedded OLE object class name in malicious RTF files exploiting CVE-2017-11882 (chained after CVE-2017-0199) is 'EQuATioN.3'; use rtfdump/rtfobj to extract and inspect OLE class names in RTF documents.
  • Agent Tesla anti-analysis checks include: CheckRemoteDebuggerPresent(), tick-count delta after 10ms sleep, presence of SbieDLL.dll/SxIn.dll/Sf2.dll/snxhk.dll/cmdvrt32.dll, WMI queries for 'Manufacturer'/'Model'/'Name' of video controller matching VMware/VirtualBox/VBox/VIRTUAL keywords, and HTTP GET to ip-api.com/line/?fields=hosting.
  • Process hollowing is performed into AddInProcess32 (launched with CREATE_SUSPENDED flag 0x80000004); monitor for AddInProcess32.exe being spawned by PowerShell or unusual parent processes, especially with suspended creation flags.
  • A malicious Word document exploiting CVE-2017-0199 was observed in the RedAlpha campaign targeting Tibetan communities; the sample was first seen in the wild during the 57-day CNNVD publication lag window.
  • ·The Agent Tesla loader-module is fileless — it is loaded directly into PowerShell memory and never written to disk, making file-based detection ineffective for this stage.
  • ·The malicious RTF file exploiting CVE-2017-0199/CVE-2017-11882 was heavily obfuscated with random MTEF header field values (except the MTEF version field, which must be 2 or 3), causing near-zero AV detection at time of analysis.
  • ·The JavaScript downloader (morningdatingroses.js) uses a reversed URL string reassembled at runtime via .split('').reverse().join(''), evading static string-based detection of the C2 URL.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa7.8HIGH
vendor_msrc6.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.