Old Microsoft Office vulnerability CVE-2017-11882 actively being exploited in the wild

June 18, 2019

Attacks exploiting an one and half year old vulnerability in Microsoft office (CVE-2017-11882), are active in the wild again.

A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the current user.

The vulnerability is caused by the Equation Editor, which fails to properly handle OLE objects in memory. This allows the attacker to execute arbitrary code in RTF files without interaction. Microsoft had patched this on 11/14/2017 . Recently Sonicwall Capture Labs threat research team observed a wave of exploits in the wild attacking this vulnerability.

The malicious rtf file has equation object

Microsoft has this warning about equation editor.

In the current wave of attacks, the malicious office document files are attached in the emails. The sender lures the user to open the file. The file has some content but the in background it exploits this vulnerability to download malicious payload on the victims computer.

The spam emails look like this:








The file when opened looks like this

The rtf file drops file and contacts the attacker-controlled server.

These types of attacks are a reminder to the importance of keeping systems updated with latest security patches.

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

  • SPY 5046 Malformed-File rtf.MP.22
  • GAV MalAgent.J_37354
  • GAV CB_3 (Exploit)
  • GAV H_12144 (Trojan)
  • GAV CB_4 (Exploit)
  • GAV CB_5 (Exploit)
  • GAV CB_6 (Exploit)
  • GAV BX_10 (Exploit)
  • GAV BS_4 (Exploit)
  • GAV AS (Exploit)

SonicWall Capture Advanced Threat Protection (ATP) with RTDMI provides protection against this threat.

Threat Graph:


Rtf files :