Microsoft addresses CVE-2017-11826 Office Zero-Day used to deliver malware

Share this…

Microsoft October Patch Tuesday addresses the CVE-2017-11826 Office Zero-Day vulnerability that has been exploited in the wild in targeted attacks.

Yesterday we discussed Microsoft’s October Patch Tuesday addressed three critical zero-day security vulnerabilities tied to the DNSSEC protocol.

Going deep in the analysis of the Patch Tuesday updates for October 2017 we can see that Microsoft addressed a total of 62 vulnerabilities, including a critical Office zero-day flaw that has been exploited in the wild in targeted attacks.

The vulnerability, tracked as CVE-2017-11826, is a memory corruption issue affecting all supported versions of Office and was rated as “important.” A remote attacker can exploit the vulnerability to execute arbitrary code by tricking victims into opening a specially crafted file.

“A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. ” reads the security advisory published by Microsoft. 

“Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software.”

The vulnerability was spotted by researchers at China-based security firm Qihoo 360 who confirmed to have observed for the first time an attack exploiting this flaw on September 28.

The attacks aimed a small number of the organizations, attackers triggered the CVE-2017-11826 by using malicious RTF files.

“On September 28, 2017, Qihoo 360 Core Security (@360CoreSec) detected an in-the-wild attack that leveraged CVE-2017-11826, an office 0day vulnerability. This vulnerability exists in all the supported office versions. The attack only targeted limited customers. The attacker embedded malicious .docx in the RTF files.” reads the blog post published by Qihoo 360.

“This attack that Qihoo 360 detected in the wild is initiated with RTF (Rich Text Format) files. The RTF file contains highly targeted phishing subfiles to allure user to open.”

According to Qihoo 360, the analysis of the command and control (C&C) server used by the attackers revealed the operation was initiated in August and the first attacks were launched in September.

The campaign observed by Qihoo 360 was spreading a Trojan designed to steal sensitive information from target devices.


The Qihoo 360 researchers added the attack also involved a DLL hijacking vulnerability in a “well-known” security software.

Upon the detection of the CVE-2017-11826 zero-day vulnerability, 360 has released a hot patch which is available in the latest updates. Attacks using office 0day vulnerabilities targeting common users have been increasing since the beginning of 2017.