New analysis indicates that a well-known security vulnerability in Microsoft Office is still exploited by threat groups. The vulnerability in question is CVE-2017-11882, a memory corruption flaw in Microsoft Office Equation Editor, first discovered in December 2017.
The exploit allows attackers to execute remote code after the victim opens a malicious document; this method is largely known as phishing. Once the malicious document is executed, the victim’s computer gets infected by a specific malicious payload.
CVE-2017-11882 Still Exploited by Attackers
Security researchers say that despite being patched three years ago, the vulnerability is still exploited by various threat groups. In a conversation with ZDNet, Alex Holland, senior malware analyst at HP, pointed out that its popularity “may be due to home users and businesses not updating to newer, patched versions of Office.” We commonly see this vulnerability being exploited by attackers who distribute easily-obtainable remote access trojans,” the researcher added.
In June 2019, we reported on a malware campaign, using emails in European languages to distribute RTF files that carried CVE-2017-11882. The exploit allowed attackers to automatically run malicious code without the need of any user interaction.
It is noteworthy that the flaw has been used in combination with several others in campaigns delivering the CobInt Trojan.
An attacker who successfully exploits CVE-2017-11882 could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system to install programs or view, change, or delete data. An attacker could also create new accounts with full user rights.
CVE-2017-11882 has been classified as one of the most exploited vulnerabilities. The flaw even made it to Recorded Future’s list dedicated to the 10 most exploited vulnerabilities in 2018.
In 2020, it accounted for nearly 87% of all used exploits. This year, another vulnerability is gaining popularity among cybercriminals – CVE-2017-0199.