[SingCERT] Alert on Microsoft Office Memory Corruption Vulnerability (CVE-2017-11882)

Published on Friday, 24 November 2017 14:46

Background

On 14th November 2017, Microsoft reported a remote code vulnerability in Microsoft Office software when the software fails to properly handle data in memory.

Affected systems include:

  • Microsoft Office 2007 Service Pack 3
  • Microsoft Office 2010 Service Pack 2 (32-bit editions)
  • Microsoft Office 2010 Service Pack 2 (64-bit editions)
  • Microsoft Office 2013 Service Pack 1 (32-bit editions)
  • Microsoft Office 2013 Service Pack 1 (64-bit editions)
  • Microsoft Office 2016 Service (32-bit editions)
  • Microsoft Office 2016 Service (64-bit editions)
Impact

When successfully exploited, an attacker could execute arbitrary code on a user’s system and create accounts with full user rights, install programs, view, change or delete data. The attack could be conducted via phishing when a victim unknowingly opens a malicious file sent through email or when a victim clicks on a malicious file hosted on a website. User accounts with administrative rights could be seriously compromised.

Recommendations

  • Users are advised to update affected Microsoft Office systems to the latest version.
  • Users should also enable Protected View to prevent active content execution by running these commands in the command prompt:
    reg add “HKLMSOFTWAREMicrosoftOfficeCommonCOM Compatibility{0002CE02-0000-0000-C000-000000000046}” /v “Compatibility Flags” /t REG_DWORD /d 0x400
  • For 32-bit Microsoft Office package in x64 OS, the command to run is:
    reg add “HKLMSOFTWAREWow6432NodeMicrosoftOfficeCommonCOM Compatibility{0002CE02-0000-0000-C000-000000000046}” /v “Compatibility Flags” /t REG_DWORD /d 0x400
References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882