7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
99.9%
Microsoft OLE uses the URL Moniker to open application data based on the server-provided MIME type, which can allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.
Microsoft OLE uses the URL Moniker to processes remotely-linked content in a vulnerable manner. The remote content is opened based on the application associated with the server-provided MIME type. Some MIME types are dangerous, as they can result in code execution. For example, the application/hta mime type is associated with mshta.exe
. Opening arbitrary HTA content is equivalent to executing arbitrary code. This vulnerability is reportedly being exploited in the wild. The exploits used in the wild have the following characteristics:
* The document that triggers the URL Moniker vulnerability is an RTF document that masquerades as a Microsoft Word DOC file.
* The exploit connects to a remote server to obtain an execute an HTA file, which contains VBScript to be executed by the client.
Note that depending on the nature of the vulnerability, it may be possible to target Microsoft Windows components other than Microsoft Word. This vulnerability reportedly affects all versions of Microsoft Office, including Office 2016 on Windows 10. It is also reported that Microsoft Office Protected View can help prevent exploitation without user interaction.
By convincing a user to open a specially-crafted document, an unauthenticated remote attacker may be able to execute arbitrary code on a vulnerable system.
The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds;
Apply an update
This issue is addressed in the following Microsoft Security update: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>
Please refer to this document and install all relevant updates for both Microsoft Windows and Microsoft Office.
Note: Even with these updates, remotely-linked OLE content is still retrieved and saved according to server-provided MIME type before any user interaction if the document is not in Protected Mode. The update prevents HTA content from being executed after it has been retrieved in such a manner.
Disable the application/hta MIME handler
This exploit appears to be blocked by disabling the MIME handler for application/hta. The handler for this MIME type can be overridden with the “plain text” handler using the following registry value:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/hta]
"CLSID"="{5e941d80-bf96-11cd-b579-08002b30bfeb}"
Block RTF documents in Microsoft Word
Exploits in the wild utilize RTF documents. RTF documents can be blocked in Microsoft Word by using the File Block Settings in the Microsoft Office Trust Center. For example, the following registry values can be used to block the opening of RTF documents in Word 2016:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\FileBlock]
"OpenInProtectedView"=dword:00000000
"RtfFiles"=dword:00000002
For other versions of Office, the path above will need to be modified to match the version number associated with the installed version of Office.
921560
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: April 10, 2017
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Temporal | 6.8 | E:F/RL:W/RC:C |
Environmental | 6.8 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
Public exploitation of this vulnerability was reported by McAfee and FireEye.
This document was written by Will Dormann.
CVE IDs: | CVE-2017-0199 |
---|---|
Date Public: | 2017-04-07 Date First Published: |
blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/
support.office.com/en-us/article/What-is-File-Block-10d0e0ab-fecf-4605-befd-1e6563e7686d
support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653
www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html
www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
99.9%