CVE-2017-0261
published 2017-05-12CVE-2017-0261: Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in…
PriorityP183high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
78.13%
99.5th percentile
Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0262 and CVE-2017-0281.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office_online_server | — | — |
| microsoft | office_web_apps | — | — |
| microsoft | office_web_apps | — | — |
| microsoft | project_server | — | — |
| microsoft | sharepoint_foundation | — | — |
| microsoft | sharepoint_server | — | — |
| microsoft | sharepoint_server | — | — |
| microsoft | sharepoint_server | — | — |
| microsoft | skype_for_business | — | — |
| microsoft | word | — | — |
| microsoft_corporation | microsoft_office | — | — |
| msrc | microsoft_office_2010_service_pack_2 | — | — |
| msrc | microsoft_office_2013_service_pack_1 | — | — |
| msrc | microsoft_office_2016 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →BADNEWS drops three files via EPS shellcode into %PROGRAMDATA%\Microsoft\DeviceSync\: VMwareCplLauncher.exe (legitimate signed VMware binary), vmtools.dll (malicious sideload DLL), and MSBuild.exe (BADNEWS payload renamed). Detect the presence of vmtools.dll in this non-standard path. ↗
- →BADNEWS creates a scheduled task named 'BaiduUpdateTask1' that runs the malicious MSBuild.exe every minute. Hunt for scheduled tasks with this name. ↗
- →BADNEWS C2 beacon strings contain the pattern 'uuid=...#un=...#cn=...#on=...#lan=...#nop=#ver=1.0'. Monitor HTTP POST traffic for this beacon format. ↗
- →BADNEWS hardcoded C2 URI paths contain the distinctive string 'e3e7e71a0b28b5e96cc492e636722f73' and '4sVKAOvu3D'. Detect HTTP requests containing these path components. ↗
- →BADNEWS uses DLL side-loading: VMwareCplLauncher.exe (legitimate VMware binary) loads malicious vmtools.dll from the same directory. Alert on VMwareCplLauncher.exe executing outside of standard VMware installation paths. ↗
- ·The C2 IP (185.203.118[.]115) is derived from decrypting dead drop resolver content using a four-step process (Base64 → cipher → Base64 → Blowfish with static key). The IP may rotate as the dead drop content is updated by the attacker. ↗
- ·The dead drop resolver URL (feeds.rapidfeeds[.]com/88604/) is a legitimate third-party service abused to host encoded C2 information; blocking it may cause false positives for legitimate users of the service. ↗
- ·Older Patchwork documents exploited CVE-2017-0261, but newer documents (late January 2018) shifted back to CVE-2015-2545. The BADNEWS payload and IOCs are shared across both exploit vectors. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Office Use-After-Free Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2017-0261 [HIGH] CWE-416 Microsoft Office Use-After-Free Vulnerability
Vulnerability: Microsoft Office Use-After-Free Vulnerability
Affected: Microsoft Office
Microsoft Office contains a use-after-free vulnerability which can allow for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-0261
Remediation Due Date: 2022-03-24
Microsoft
Microsoft Office Remote Code Execution Vulnerability
vendor_msrc·2017-05-09·CVSS 7.8
CVE-2017-0261 [HIGH] Microsoft Office Remote Code Execution Vulnerability
Microsoft Office Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in Microsoft Office that could be exploited when a user opens a file containing a malformed graphics image or when a user inserts a malformed graphics image into an Office file. Such a file could also be included in an email attachment. An attacker could exploit the vulnerability by constructing a specially crafted EPS file that could allow remote code execution. An attacker who successfully exploited this vulnerability could take control of the affected system.
This vulnerability could not be exploited automatically through a Web-based attack scenario. An attacker could host a specially crafted website containing an Office file that is designed to exploit the vulnerability, and
GHSA
GHSA-gq33-m2fg-cpvh: Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office 2016, Office Online Server 2016, Office Web Apps 2010 SP2,Office Web Apps 2013 SP1
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2017-0281 [HIGH] GHSA-gq33-m2fg-cpvh: Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office 2016, Office Online Server 2016, Office Web Apps 2010 SP2,Office Web Apps 2013 SP1
Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office 2016, Office Online Server 2016, Office Web Apps 2010 SP2,Office Web Apps 2013 SP1, Project Server 2013 SP1, SharePoint Enterprise Server 2013 SP1, SharePoint Enterprise Server 2016, SharePoint Foundation 2013 SP1, Sharepoint Server 2010 SP2, Word 2016, and Skype for Business 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0261 and CVE-2017-0262.
GHSA
GHSA-vmqq-f768-gx47: Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle obj
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2017-0262 [HIGH] GHSA-vmqq-f768-gx47: Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle obj
Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0261 and CVE-2017-0281.
GHSA
GHSA-vxg6-wq4c-3428: Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle obj
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2017-0261 [HIGH] CWE-416 GHSA-vxg6-wq4c-3428: Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle obj
Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0262 and CVE-2017-0281.
VulnCheck
Microsoft Office Use-After-Free Vulnerability
vulncheck·2017·CVSS 7.8
CVE-2017-0261 [HIGH] CWE-416 Microsoft Office Use-After-Free Vulnerability
Microsoft Office Use-After-Free Vulnerability
Microsoft Office contains a use-after-free vulnerability which can allow for remote code execution.
Affected: Microsoft Office
Required Action: Apply updates per vendor instructions.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2017-May; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html; https://dl.acm.org/doi/pdf/10.1145/3465481.3465758; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf; https://securelist.com/apt-trends-repo
No detection rules found.
No public exploits indexed.
Securelist
APT trends report Q3 2022
blogs_securelist·2022-11-01
APT trends report Q3 2022
Table of Contents
- The most remarkable findings
- Russian-speaking activity
- Chinese-speaking activity
- Middle East
- Southeast Asia and Korean Peninsula
- Other interesting discoveries
- Final thoughts
Authors
- GReAT
For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q3 2022.
Readers who w
Securelist
APT trends report Q3 2022
blogs_securelist·2022-11-01
APT trends report Q3 2022
Table of Contents
The most remarkable findings
Russian-speaking activity
Chinese-speaking activity
Middle East
Southeast Asia and Korean Peninsula
Other interesting discoveries
Final thoughts
Authors
GReAT
For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q3 2022.
Readers who would like t
Unit42
Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent
blogs_unit42·2018-03-07
Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent
Threat Research Center
Threat Research
Malware
## Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent
Brandon Levene
Josh Grunzweig
Brittany Barbehenn
Published: March 7, 2018
Malware
Threat Research
BADNEWS
Dropping Elephant
India
Monsoon
Pakistan
Patchwork
Summary
In the past few months, Unit 42 has observed the Patchwork group, alternatively known as Dropping Elephant and Monsoon , conducting campaigns against targets located in the Indian subcontinent. Patchwork threat actors utilized a pair of EPS exploits rolled into legitimate, albeit malicious, documents in order to propagate their updated BADNEWS payload. The use of weaponized legitimate documents is a longstanding operational standard of this group.
The malicious documents seen in recent activity r
Unit42
Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent
blogs_unit42·2018-03-07·CVSS 7.8
[HIGH] Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent
Summary
In the past few months, Unit 42 has observed the Patchwork group, alternatively known as Dropping Elephant and Monsoon, conducting campaigns against targets located in the Indian subcontinent. Patchwork threat actors utilized a pair of EPS exploits rolled into legitimate, albeit malicious, documents in order to propagate their updated BADNEWS payload. The use of weaponized legitimate documents is a longstanding operational standard of this group.
The malicious documents seen in recent activity refer to a number of topics, including recent military promotions within the Pakistan Army, information related to the Pakistan Atomic Energy Commission, as well as Pakistan’s Ministry of the Interior.
The BADNEWS malware payload, which these malicious documents ultimately deliver, has bee
Securelist
IT threat evolution Q2 2017. Statistics
blogs_securelist·2017-08-15
IT threat evolution Q2 2017. Statistics
Table of Contents
Q2 figures
Mobile threats
Q2 events
SMS spam
Revamped ZTorg
Meet the new Trojan – Dvmap
WAP billing subscriptions
Mobile threat statistics
Distribution of mobile malware by type
TOP 20 mobile malware programs
The geography of mobile threats
Mobile banking Trojans
Mobile Ransomware
Vulnerable apps exploited by cybercriminals
Online threats (Web-based attacks)
Online threats in the banking sector
Geography of attacks
The TOP 10 banking malware families
Ransomware Trojans
The number of new modifications
The number of users attacked by ransomware
The geography of attacks
Top 10 countries attacked by cryptors
Top 10 most widespread cryptor families
Top 10 countries where online resources are seeded with malware
Countries where users faced the greatest
Securelist
IT threat evolution Q2 2017. Statistics
blogs_securelist·2017-08-15
IT threat evolution Q2 2017. Statistics
Table of Contents
- Q2 figures
- Mobile threats
- Vulnerable apps exploited by cybercriminals
- Online threats (Web-based attacks)
- Local threats
Authors
- Roman Unuchek
- Fedor Sinitsyn
- Denis Parinov
- Alexander Liskin
## Q2 figures
According to KSN data, Kaspersky Lab solutions detected and repelled 342, 566, 061 malicious attacks from online resources located in 191 countries all over the world.
33, 006, 783 unique URLs were recognized as malicious by web antivirus components.
Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 224, 675 user computers.
Crypto ransomware attacks were blocked on 246, 675 computers of unique users.
Kaspersky Lab’s file antivirus detected a total of 185, 801, 835 unique malicious and pot
Securelist
APT Trends report Q2 2017
blogs_securelist·2017-08-08
APT Trends report Q2 2017
Table of Contents
- Introduction
- Russian-Speaking Actors
- English-Speaking Actors
- Korean-speaking Actors
- Middle Eastern Actors
- Chinese-Speaking Actors
- Best of the rest
- Predictions
- How to keep yourself protected
Authors
- GReAT
## Introduction
Since 2014, Kaspersky Lab’s Global Research and Analysis Team (GReAT) has been providing threat intelligence reports to a wide-range of customers worldwide, leading to the delivery of a full and dedicated private reporting service. Prior to the new service offering, GReAT published research online for the general public in an effort to help combat the ever-increasing threat from nation-state and other advanced actors. Since we began offering a threat intelligence service, all deep technical details on advanced campaigns are first
Securelist
APT Trends report Q2 2017
blogs_securelist·2017-08-08·CVSS 7.8
[HIGH] APT Trends report Q2 2017
Table of Contents
Introduction
Russian-Speaking Actors
English-Speaking Actors
Korean-speaking Actors
Middle Eastern Actors
Chinese-Speaking Actors
Best of the rest
Predictions
How to keep yourself protected
Authors
GReAT
## Introduction
Kaspersky’s Private Threat Intelligence Portal (TIP)
In Q1 of 2017 we published our first APT Trends report , highlighting our top research findings over the last few months. We will continue to publish quarterly reports as a representative snapshot of what has been offered in greater detail in our private reports in order to highlight significant events and findings we feel most users should be aware of. If you would like to learn more about our intelligence reports or request more information for a specific report, readers are encouraged to
Talos
Microsoft Patch Tuesday - May 2017
blogs_talos·2017-05-10·CVSS 7.5
CVE-2017-0290 [HIGH] Microsoft Patch Tuesday - May 2017
Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 56 vulnerabilities with 15 of them rated critical and 41 rated important. Impacted products include .NET, DirectX, Edge, Internet Explorer, Office, Sharepoint, and Windows.
In addition to the coverage Talos is providing for the normal monthly Microsoft security advisories, Talos is also providing coverage for CVE-2017-0290, the MsMpEng Malware Protection service vulnerability in Windows reported by Natalie Silvanovich and Tavis Ormandy of Google Project Zero. Snort rule SIDs for this specific vulnerability are 42820-42821.
## Vulnerabilities Rated Critical The following vulnerabilities are rated critical by Microsoft:
- CVE-2017-0221
- CVE-2017-0222
- CV
Qualys
Microsoft Fixes Malware Protection Engine and Several 0-Day Vulnerabilities, and Deprecates SHA-1 | Qualys
blogs_qualys·2017-05-09·CVSS 8.8
[HIGH] Microsoft Fixes Malware Protection Engine and Several 0-Day Vulnerabilities, and Deprecates SHA-1 | Qualys
Hours before today’s Patch Tuesday release on the eve of May 8, Microsoft released an emergency updated to fix a vulnerability in their Malware Protection Engine. This critical vulnerability allows an attacker to take complete control of the victim’s machine by just sending an e-mail attachment. When the malware protection engine scans the attachment the malicious code in the file gets executed, allowing the attacker complete and full access to the computer. The attack can also be carried out by sending the file via an instant message or having the victim download the file from a website. It is absolutely essential that organizations using Microsoft Malware Protection Engine make sure that they are at version Version 1.1.13704.0 or later. Users should also check if they are patched for CVE
Qualys
Microsoft Fixes Malware Protection Engine and Several 0-Day Vulnerabilities, and Deprecates SHA-1
blogs_qualys·2017-05-09·CVSS 8.8
[HIGH] Microsoft Fixes Malware Protection Engine and Several 0-Day Vulnerabilities, and Deprecates SHA-1
Hours before today’s Patch Tuesday release on the eve of May 8, Microsoft released an emergency updated to fix a vulnerability in their Malware Protection Engine. This critical vulnerability allows an attacker to take complete control of the victim’s machine by just sending an e-mail attachment. When the malware protection engine scans the attachment the malicious code in the file gets executed, allowing the attacker complete and full access to the computer. The attack can also be carried out by sending the file via an instant message or having the victim download the file from a website. It is absolutely essential that organizations using Microsoft Malware Protection Engine make sure that they are at version Version 1.1.13704.0 or later. Users should also check if they are patched for CVE
http://www.securityfocus.com/bid/98104http://www.securitytracker.com/id/1038444https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261http://www.securityfocus.com/bid/98104http://www.securitytracker.com/id/1038444https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0261
2017-05-12
Published
2022-03-03
Added to CISA KEV
Exploited in the wild