CVE-2017-0262
published 2017-05-12CVE-2017-0262: Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in…
PriorityP183high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-08-10
Exploited in the wild
EPSS
80.73%
99.6th percentile
Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0261 and CVE-2017-0281.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office_online_server | — | — |
| microsoft | office_web_apps | — | — |
| microsoft | office_web_apps | — | — |
| microsoft | project_server | — | — |
| microsoft | sharepoint_foundation | — | — |
| microsoft | sharepoint_server | — | — |
| microsoft | sharepoint_server | — | — |
| microsoft | sharepoint_server | — | — |
| microsoft | skype_for_business | — | — |
| microsoft | word | — | — |
| microsoft_corporation | microsoft_office | — | — |
| msrc | microsoft_office_2010_service_pack_2 | — | — |
| msrc | microsoft_office_2013_rt_service_pack_1 | — | — |
| msrc | microsoft_office_2013_service_pack_1 | — | — |
| msrc | microsoft_office_2016 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2017-0262 is a Microsoft Office encapsulated postscript (EPS) type confusion exploit, delivered via spearphish .docx attachment, used by Sofacy/APT28 to drop the GAMEFISH backdoor (~30kb) against NATO-related targets in Europe. ↗
- →CVE-2017-0262 was chained with CVE-2017-0263 (EoP use-after-free) in the same spearphish document; detections should look for both CVEs triggered together from an Office process. ↗
- ·The GAMEFISH payload dropped via CVE-2017-0262 exploitation is described only as 'a small 30kb backdoor'; no hash, C2 domain/IP, or further configuration details are present in the available sources. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gq33-m2fg-cpvh: Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office 2016, Office Online Server 2016, Office Web Apps 2010 SP2,Office Web Apps 2013 SP1
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2017-0281 [HIGH] GHSA-gq33-m2fg-cpvh: Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office 2016, Office Online Server 2016, Office Web Apps 2010 SP2,Office Web Apps 2013 SP1
Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office 2016, Office Online Server 2016, Office Web Apps 2010 SP2,Office Web Apps 2013 SP1, Project Server 2013 SP1, SharePoint Enterprise Server 2013 SP1, SharePoint Enterprise Server 2016, SharePoint Foundation 2013 SP1, Sharepoint Server 2010 SP2, Word 2016, and Skype for Business 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0261 and CVE-2017-0262.
GHSA
GHSA-vmqq-f768-gx47: Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle obj
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2017-0262 [HIGH] GHSA-vmqq-f768-gx47: Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle obj
Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0261 and CVE-2017-0281.
GHSA
GHSA-vxg6-wq4c-3428: Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle obj
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2017-0261 [HIGH] CWE-416 GHSA-vxg6-wq4c-3428: Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle obj
Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0262 and CVE-2017-0281.
VulnCheck
Microsoft Office Remote Code Execution Vulnerability
vulncheck·2017·CVSS 7.8
CVE-2017-0262 [HIGH] Microsoft Office Remote Code Execution Vulnerability
Microsoft Office Remote Code Execution Vulnerability
A remote code execution vulnerability exists in Microsoft Office.
Affected: Microsoft Office
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html; https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2017-May; https://securelist.com/a-slice-of-2017-sofacy-activity/83930/; https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf; https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/; https://www.tenable.com/blog/daisy-chaining-how-vulnerabilities-can-be-greater-than-the-sum-of-their-parts; https://dl.acm.or
CISA
Microsoft Office Remote Code Execution Vulnerability
cisa·2022-02-10·CVSS 7.8
CVE-2017-0262 [HIGH] Microsoft Office Remote Code Execution Vulnerability
Vulnerability: Microsoft Office Remote Code Execution Vulnerability
Affected: Microsoft Office
A remote code execution vulnerability exists in Microsoft Office.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-0262
Remediation Due Date: 2022-08-10
Microsoft
Microsoft Office Remote Code Execution Vulnerability
vendor_msrc·2017-05-09·CVSS 7.8
CVE-2017-0262 [HIGH] Microsoft Office Remote Code Execution Vulnerability
Microsoft Office Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in Microsoft Office that could be exploited when a user opens a file containing a malformed graphics image or when a user inserts a malformed graphics image into an Office file. Such a file could also be included in an email attachment. An attacker could exploit the vulnerability by constructing a specially crafted EPS file that could allow remote code execution. An attacker who successfully exploited this vulnerability could take control of the affected system.
This vulnerability could not be exploited automatically through a Web-based attack scenario. An attacker could host a specially crafted website containing an Office file that is designed to exploit the vulnerability, and
No detection rules found.
No public exploits indexed.
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Tenable
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
blogs_tenable·2021-01-21
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
A Slice of 2017 Sofacy Activity
blogs_securelist·2018-02-20
A Slice of 2017 Sofacy Activity
Table of Contents
- Dealer’s Choice
- 0day Deployment(s)
- Light SPLM deployment in Central Asia and Consistent Infrastructure
- Heavy Zebrocy deployments
- SPLM deployment in Central Asia
- SPLM/CHOPSTICK/XAgent Modularity and Infrastructure
- Infrastructure Notes
- Conclusion
- Technical Appendix
Authors
- GReAT
Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a highly active and prolific APT. From their high volume 0day deployment to their innovative and broad malware set, Sofacy is one of the top groups that we monitor, report, and protect against. 2017 was not any different in this regard. Our private reports subscription customers receive a steady stream of YARA, IOC, and reports on Sofacy, our most reported APT for the year.
This high level of cyber-espionage activity
Securelist
A Slice of 2017 Sofacy Activity
blogs_securelist·2018-02-20
A Slice of 2017 Sofacy Activity
Table of Contents
Dealer’s Choice
0day Deployment(s)
Light SPLM deployment in Central Asia and Consistent Infrastructure
Heavy Zebrocy deployments
SPLM deployment in Central Asia
SPLM/CHOPSTICK/XAgent Modularity and Infrastructure
Infrastructure Notes
Conclusion
Technical Appendix
Related md5
Related domains
Authors
GReAT
Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a highly active and prolific APT . From their high volume 0day deployment to their innovative and broad malware set, Sofacy is one of the top groups that we monitor, report, and protect against. 2017 was not any different in this regard. Our private reports subscription customers receive a steady stream of YARA , IOC, and reports on Sofacy, our most reported APT for the year.
This high level of cybe
Securelist
IT threat evolution Q2 2017. Statistics
blogs_securelist·2017-08-15
IT threat evolution Q2 2017. Statistics
Table of Contents
Q2 figures
Mobile threats
Q2 events
SMS spam
Revamped ZTorg
Meet the new Trojan – Dvmap
WAP billing subscriptions
Mobile threat statistics
Distribution of mobile malware by type
TOP 20 mobile malware programs
The geography of mobile threats
Mobile banking Trojans
Mobile Ransomware
Vulnerable apps exploited by cybercriminals
Online threats (Web-based attacks)
Online threats in the banking sector
Geography of attacks
The TOP 10 banking malware families
Ransomware Trojans
The number of new modifications
The number of users attacked by ransomware
The geography of attacks
Top 10 countries attacked by cryptors
Top 10 most widespread cryptor families
Top 10 countries where online resources are seeded with malware
Countries where users faced the greatest
Securelist
IT threat evolution Q2 2017. Statistics
blogs_securelist·2017-08-15
IT threat evolution Q2 2017. Statistics
Table of Contents
- Q2 figures
- Mobile threats
- Vulnerable apps exploited by cybercriminals
- Online threats (Web-based attacks)
- Local threats
Authors
- Roman Unuchek
- Fedor Sinitsyn
- Denis Parinov
- Alexander Liskin
## Q2 figures
According to KSN data, Kaspersky Lab solutions detected and repelled 342, 566, 061 malicious attacks from online resources located in 191 countries all over the world.
33, 006, 783 unique URLs were recognized as malicious by web antivirus components.
Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 224, 675 user computers.
Crypto ransomware attacks were blocked on 246, 675 computers of unique users.
Kaspersky Lab’s file antivirus detected a total of 185, 801, 835 unique malicious and pot
Securelist
APT Trends report Q2 2017
blogs_securelist·2017-08-08
APT Trends report Q2 2017
Table of Contents
- Introduction
- Russian-Speaking Actors
- English-Speaking Actors
- Korean-speaking Actors
- Middle Eastern Actors
- Chinese-Speaking Actors
- Best of the rest
- Predictions
- How to keep yourself protected
Authors
- GReAT
## Introduction
Since 2014, Kaspersky Lab’s Global Research and Analysis Team (GReAT) has been providing threat intelligence reports to a wide-range of customers worldwide, leading to the delivery of a full and dedicated private reporting service. Prior to the new service offering, GReAT published research online for the general public in an effort to help combat the ever-increasing threat from nation-state and other advanced actors. Since we began offering a threat intelligence service, all deep technical details on advanced campaigns are first
Securelist
APT Trends report Q2 2017
blogs_securelist·2017-08-08·CVSS 7.8
[HIGH] APT Trends report Q2 2017
Table of Contents
Introduction
Russian-Speaking Actors
English-Speaking Actors
Korean-speaking Actors
Middle Eastern Actors
Chinese-Speaking Actors
Best of the rest
Predictions
How to keep yourself protected
Authors
GReAT
## Introduction
Kaspersky’s Private Threat Intelligence Portal (TIP)
In Q1 of 2017 we published our first APT Trends report , highlighting our top research findings over the last few months. We will continue to publish quarterly reports as a representative snapshot of what has been offered in greater detail in our private reports in order to highlight significant events and findings we feel most users should be aware of. If you would like to learn more about our intelligence reports or request more information for a specific report, readers are encouraged to
Talos
Microsoft Patch Tuesday - May 2017
blogs_talos·2017-05-10·CVSS 7.5
CVE-2017-0290 [HIGH] Microsoft Patch Tuesday - May 2017
Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month's release addresses 56 vulnerabilities with 15 of them rated critical and 41 rated important. Impacted products include .NET, DirectX, Edge, Internet Explorer, Office, Sharepoint, and Windows.
In addition to the coverage Talos is providing for the normal monthly Microsoft security advisories, Talos is also providing coverage for CVE-2017-0290, the MsMpEng Malware Protection service vulnerability in Windows reported by Natalie Silvanovich and Tavis Ormandy of Google Project Zero. Snort rule SIDs for this specific vulnerability are 42820-42821.
## Vulnerabilities Rated Critical The following vulnerabilities are rated critical by Microsoft:
- CVE-2017-0221
- CVE-2017-0222
- CV
Talos
Vulnerability Spotlight: Apple Garage Band Out of Bounds Write Vulnerability
blogs_talos·2017-02-14·CVSS 8.8
CVE-2017-2372 [HIGH] Vulnerability Spotlight: Apple Garage Band Out of Bounds Write Vulnerability
## Vulnerability Spotlight: Apple Garage Band Out of Bounds Write Vulnerability
Discovered by Tyler Bohan of Cisco Talos
## Overview Talos is disclosing TALOS-2016-0262 ( CVE-2017-2372 ) and TALOS-2017-0275 ( CVE-2017-2374 ), an out of bounds write vulnerability in Apple GarageBand. GarageBand is a music creation program, allowing users to create and edit music easily and effectively from their Mac computer. GarageBand is installed by default on all Mac computers so there is a significant number of potential victims. This issue was partially resolved on 1/18/17 with a patch which addressed CVE-2017-2372, the patch released on 2/13/17 addressed CVE-2017-2374 resolving the issue.
This particular vulnerability is the result of the way the application parses the proprietary file format used
Talos
Vulnerability Spotlight: Apple Garage Band Out of Bounds Write Vulnerability
blogs_talos·2017-02-14·CVSS 8.8
CVE-2017-2372 [HIGH] Vulnerability Spotlight: Apple Garage Band Out of Bounds Write Vulnerability
Discovered by Tyler Bohan of Cisco Talos
## Overview Talos is disclosingTALOS-2016-0262(CVE-2017-2372) andTALOS-2017-0275(CVE-2017-2374), an out of bounds write vulnerability in Apple GarageBand. GarageBand is a music creation program, allowing users to create and edit music easily and effectively from their Mac computer. GarageBand is installed by default on all Mac computers so there is a significant number of potential victims. This issue was partially resolved on 1/18/17 with a patch which addressed CVE-2017-2372, the patch released on 2/13/17 addressed CVE-2017-2374 resolving the issue.
This particular vulnerability is the result of the way the application parses the proprietary file format used for GarageBand files, .band. The format is broken into chunks with a specific length fie
Threat Intel
APT28 (APT28, IRON TWILIGHT, SNAKEMACKEREL)
threat_intel
APT28 (APT28, IRON TWILIGHT, SNAKEMACKEREL)
# Threat Actor Profile: APT28
ATT&CK ID: G0007
Also known as: APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, GruesomeLarch
Suspected origin: Russia
## Overview
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-412
arXiv
Identification of Attack Paths Using Kill Chain and Attack Graphs
arxiv_fulltext·2022-06-21
Identification of Attack Paths Using Kill Chain and Attack Graphs
Identification of Attack Paths \ Kill Chain and Attack Graphs
Luk\'as Sadlek12, Pavel Celeda12, Daniel Tovarn\'ak1
2Faculty of Informatics, Masaryk University, Brno, Czech Republic
1Institute of Computer Science, Masaryk University, Brno, Czech Republic
[email protected], [email protected], [email protected]
## Abstract
The ever-evolving capabilities of cyber attackers force security administrators to focus on the early identification of emerging threats. Targeted cyber attacks usually consist of several phases, from initial reconnaissance of the network environment to final impact on objectives. This paper investigates the identification of multi-step cyber threat scenarios using kill chain and attack graphs.
Kill chain and attack graphs are threat modeling concepts that enable
http://www.securityfocus.com/bid/98279https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262http://www.securityfocus.com/bid/98279https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0262
2017-05-12
Published
2022-02-10
Added to CISA KEV
Exploited in the wild