Rich Text Format (RTF) is a text file format supported by various Microsoft products and word processors. RTF supports text styling, images, and embedded objects.

Problem

A vulnerability in Microsoft Word and WordPad could allow command execution when a user opens a specially crafted RTF file containing an embedded object which links to an HTA file on an attacker’s web site.

Resolution

Apply one of the updates referenced in Microsoft advisory CVE-2017-0199.

References

<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>
<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>

Limitations

Exploit works on Windows 7, and requires a user to open the RTF file in Microsoft Word or WordPad.

Platforms

Windows

saint 2

threatpost 14

malwarebytes 9

fireeye 16

thn 7

openvas 8

metasploit 1

cisa_kev 1

mscve 1

myhack58 14

exploitpack 2

packetstorm 3

securelist 25

zdt 4

mskb 9

talosblog 9

checkpoint_advisories 1

attackerkb 1

nessus 6

cve 1

ics 6

prion 1

hivepro 2

seebug 2

mssecure 2

rapid7community 2

cert 1

exploitdb 3

avleonov 1

kaspersky 4

canvas 1

trellix 2

qualysblog 5

saint

Microsoft Word and WordPad RTF HTA handler command execution

2017-04-20 00:00:00

Microsoft Word and WordPad RTF HTA handler command execution

2017-04-20 00:00:00

threatpost

Spy Campaign Spams Pro-Tibet Group With ExileRAT

2019-02-04 20:45:00

AZORult Campaign Adopts Novel Triple-Encryption Technique

2020-02-03 20:58:25

Stealthy Malware Hidden in Images Takes to GoogleUserContent

2018-07-19 19:29:29

malwarebytes

Blocks for Flash and others coming to Office 365

2018-06-01 15:00:00

Fake IRS notice delivers customized spying tool

2017-09-21 15:00:24

APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT

2020-03-16 15:00:00

fireeye

CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler

2017-04-11 13:30:00

Petya Destructive Malware Variant Spreading via Stolen Credentials and EternalBlue Exploit

2017-06-27 17:30:00

CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler

2017-04-11 13:30:00

thn

Indian-Made Mobile Spyware Targeted Human Rights Activist in Togo

2021-10-11 09:21:00

Petya Ransomware Spreading Rapidly Worldwide, Just Like WannaCry

2017-06-27 03:32:00

Not Just Criminals, But Governments Were Also Using MS Word 0-Day Exploit

2017-04-12 21:41:00

openvas

Microsoft Office Suite Remote Code Execution Vulnerability (KB3178710)

2017-04-12 00:00:00

Microsoft Office Suite Remote Code Execution Vulnerability (KB3141529)

2017-04-12 00:00:00

Microsoft Office Suite Remote Code Execution Vulnerability (KB3178703)

2017-04-12 00:00:00

metasploit

Microsoft Office Word Malicious Hta Execution

2017-04-15 02:32:48

cisa_kev

Microsoft Office and WordPad Remote Code Execution Vulnerability

2021-11-03 00:00:00

mscve

Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows

2017-04-11 07:00:00

myhack58

CVE-2017-0199: analysis Microsoft Office RTF vulnerability-vulnerability warning-the black bar safety net

2017-04-13 00:00:00

CVE-2017-0199: in-depth analysis of the Microsoft Office RTF vulnerability-vulnerability warning-the black bar safety net

2017-06-08 00:00:00

A newline character causes the Oscar vulnerability 0day(CVE-2017-8759)reproduction-latest Office the highest level of threat attack warning-vulnerability warning-the black bar safety net

2017-09-13 00:00:00

exploitpack

Microsoft Word - .RTF Remote Code Execution

2017-04-18 00:00:00

Microsoft Office - Composite Moniker Remote Code Execution

2018-01-09 00:00:00

packetstorm

Microsoft Office Word Malicious Hta Execution

2017-04-24 00:00:00

Microsoft RTF Remote Code Execution

2017-04-19 00:00:00

Microsoft Word MTA Handler Remote Code Execution

2017-06-27 00:00:00

securelist

RevengeHotels: cybercrime targeting hotel front desks worldwide

2019-11-28 10:00:48

The BlueNoroff cryptocurrency hunt is still on

2022-01-13 09:00:23

APT Trends report Q3 2017

2017-11-14 09:41:27

zdt

Microsoft Word - .RTF Remote Code Execution Exploit

2017-04-19 00:00:00

Microsoft Office / WordPad Remote Code Execution Vulnerability

2017-04-16 00:00:00

Microsoft Excel - OLE Arbitrary Code Execution Exploit

2017-10-18 00:00:00

mskb

Description of the security update for Office 2013: April 11, 2017

2017-04-11 07:00:00

Description of the security update for Office 2010: April 11, 2017

2017-04-11 07:00:00

Description of the security update for Office 2016: April 11, 2017

2017-04-11 07:00:00

talosblog

New campaign uses government, union-themed lures to deliver Cobalt Strike beacons

2022-09-28 12:12:00

JhoneRAT: Cloud based python RAT targeting Middle Eastern countries

2020-01-19 02:58:29

ExileRAT shares C2 with LuckyCat, targets Tibet

2019-02-04 08:00:00

checkpoint_advisories

Microsoft Outlook Remote Code Execution (CVE-2017-0199)

2017-04-11 00:00:00

attackerkb

CVE-2017-0199

2017-04-12 00:00:00

nessus

KB4014793: Microsoft Wordpad Remote Code Execution vulnerability (April 2017)

2017-10-20 00:00:00

Security Update for Microsoft Office Products (April 2017) (Petya)

2017-04-12 00:00:00

MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)

2017-03-20 00:00:00

cve

CVE-2017-0199

2017-04-12 14:59:00

ics

Dridex Malware

2020-06-30 12:00:00

Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks

2022-02-24 12:00:00

Top 10 Routinely Exploited Vulnerabilities

2020-05-12 12:00:00

prion

Remote code execution

2017-04-12 14:59:00

hivepro

SnatchCrypto campaign carried out by North Korean APT 38 subsidiary BlueNoroff

2022-01-14 06:23:18

Actors, Threats and Vulnerabilities 08 to 14 May 2023

2023-05-16 06:27:25

seebug

Microsoft Office OLE2Link vulnerability (CVE-2017-0199)

2017-04-12 00:00:00

FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY

2017-09-14 00:00:00

mssecure

Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis

2018-07-11 18:50:14

Office 365 Advanced Threat Protection defense for corporate networks against recent Office exploit attacks

2017-11-21 13:46:01

rapid7community

Patch Tuesday - April 2017

2017-04-12 03:13:07

Metasploit Weekly Wrapup

2017-05-05 20:37:48

cert

Microsoft OLE URL Moniker improperly handles remotely-linked HTA data

2017-04-10 00:00:00

exploitdb

Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)

2017-04-25 00:00:00

Microsoft Word - '.RTF' Remote Code Execution

2017-04-18 00:00:00

Microsoft Office - 'Composite Moniker Remote Code Execution

2018-01-09 00:00:00

avleonov

Petya the Great and why *they* don’t patch vulnerabilities

2017-06-29 21:29:50

kaspersky

KLA10995 Multiple arbitrary code execution vulnerabilities in Microsoft office

2016-09-09 00:00:00

KLA11024 Defense-in-Depth Update for Microsoft Office

2017-04-11 00:00:00

KLA11835 Multiple vulnerabilities in Microsoft Products (ESU)

2017-04-11 00:00:00

canvas

Immunity Canvas: OFFICE_WSDL

2017-09-13 01:29:00

trellix

The Tale of Two Exploits - Breaking Down CVE-2023-36884 and the Infection Chain

2023-08-24 00:00:00

The Tale of Two Exploits - Breaking Down CVE-2023-36884 and the Infection Chain

2023-08-24 00:00:00

qualysblog

Microsoft Fixes 45 Vulnerabilities with new Security Update Guide – says goodbye to Security Bulletins

2017-04-11 18:24:03

Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking

2019-12-27 18:01:22

Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers’ Edition)

2023-07-18 13:38:53

Products

Security Intelligence
Non-intrusive assessment
Developers SDK
Windows scanner
Linux scanner
Perimeter control tool
MSSP

Database

Vulnerabilities
Exploits
IOC
Security News
BugBounty
Popular
Wild Exploited
Top Vulnerabilities

Tools

Linux Security Scanner
API integration
Subscriptions
Plugins
Manual Audit

Learn More

Stats
API
Docs
Api-keys
License
Pricing
Glossary
FAQ

Company

Blog
Contacts
About Us
OpenSource
EULA
Brand Guideline
Privacy Policy

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please contact us. Using Vulners services you are accepting Vulners services end-user license agreement

@2024 Vulners Inc

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

JSON

Related for SAINT:DB6048DE08200736030664D3F0E6C764