cbcvebase.
CVE-2017-8487
published 2017-06-15

CVE-2017-8487: Windows OLE in Windows XP and Windows Server 2003 allows an attacker to execute code when a victim opens a specially crafted file or program aka "Windows…

PriorityP278high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
62.53%
99.1th percentile
Windows OLE in Windows XP and Windows Server 2003 allows an attacker to execute code when a victim opens a specially crafted file or program aka "Windows olecnv32.dll Remote Code Execution Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoft_corporationmicrosoft_windows

Detection & IOCsextracted from sources · hover to see the quote

otherIOCTL 0x390400 to \Device\KsecDD
path\Device\KsecDD
bytes
4d 3c 2b 1a 00 00 02 00 ff ff ff ff 00 00 00 00 20 00 00 00 ff ff ff ff 01 00 00 00 02 00 00 00 33 00 44 00 45 00 53 00 00 00
  • Monitor for DeviceIoControl calls targeting \Device\KsecDD with IOCTL code 0x390400 and operation code 0x00020000 (bytes 4-7 of input buffer), which triggers uninitialized kernel pool memory disclosure.
  • Flag processes opening \Device\KsecDD with FILE_READ_DATA | FILE_WRITE_DATA access via NtOpenFile outside of expected system processes, especially when followed immediately by a DeviceIoControl with IOCTL 0x390400.
  • The CVE-2017-8487 vulnerability resides in olecnv32.dll on Windows XP and Windows Server 2003; monitor for suspicious loading or execution involving this DLL triggered by opening crafted files.
  • ·The exploit-db entry (42211) describes a KsecDD kernel pool memory disclosure bug, which is a different vulnerability from the olecnv32.dll RCE described in CVE-2017-8487. The two may have been cross-linked; validate source attribution before correlating IOCs.
  • ·CVE-2017-8487 affects only Windows XP and Windows Server 2003; IOCs and detections are only relevant on those end-of-life platforms.

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.