cbcvebase.
CVE-2017-11774
published 2017-10-13

CVE-2017-11774: Microsoft Outlook 2010 SP2, Outlook 2013 SP1 and RT SP1, and Outlook 2016 allow an attacker to execute arbitrary commands, due to how Microsoft Office handles…

PriorityP181high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
59.89%
99.0th percentile
Microsoft Outlook 2010 SP2, Outlook 2013 SP1 and RT SP1, and Outlook 2016 allow an attacker to execute arbitrary commands, due to how Microsoft Office handles objects in memory, aka "Microsoft Outlook Security Feature Bypass Vulnerability."

Affected

10 ranges
VendorProductVersion rangeFixed in
microsoftoutlook
microsoftoutlook
microsoftoutlook
microsoft_corporationmicrosoft_outlook
microsoft_corporationmicrosoft_outlook
microsoft_corporationmicrosoft_outlook
msrcmicrosoft_outlook_2010_service_pack_2
msrcmicrosoft_outlook_2013_rt_service_pack_1
msrcmicrosoft_outlook_2013_service_pack_1
msrcmicrosoft_outlook_2016

Detection & IOCsextracted from sources · hover to see the quote

registryHKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\WebView\
snort
SID 1:8068
  • Monitor for creation or modification of Outlook WebView registry keys under HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\WebView\ pointing to external URLs, which is the mechanism used by the Specula tool and APT33 to establish persistence via CVE-2017-11774.
  • Detect VBScript or JScript execution spawned from or within the context of outlook.exe, as the attacker-controlled home page serves custom VBScript files for arbitrary command execution.
  • Alert on Snort SID 1:8068 (Browser-plugins class) for network-level detection of CVE-2017-11774 exploitation attempts.
  • Use Check Point IPS blade signature 'Microsoft Outlook Security Feature Bypass (CVE-2017-11774)' for network-level detection of active exploitation by APT33.
  • Hunt for the Outlook Home Page (T1137.004) persistence technique; OilRig/APT34 abused this feature and used CVE-2017-11774 to roll back the patch protecting against Home Page abuse.
  • ·Even fully patched Office 365 builds remain vulnerable to the Specula/CVE-2017-11774 technique via registry manipulation, because Microsoft removed the UI but did not prevent registry-based home page configuration.
  • ·Initial device compromise is required to set the malicious Outlook registry entry, but once set the technique enables persistence and lateral movement without further exploitation.
  • ·Qualys QID 110306 can be used to scan for CVE-2017-11774 exposure in the environment.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.