Is CVE-2017-0199 the new CVE-2012-0158?

Posted by   Martijn Grooten on   Jun 20, 2017

There are two good reasons not to be concerned about CVE-2012-0158, an RTF handling vulnerability in Microsoft Office. First, the vulnerability was patched more than five years ago, so if you follow good security practices and patch regularly, you won't have to worry about it. Secondly, if you are following those good security practices, you won't be likely to open email attachments sent by strangers: CVE-2012-0158 requires the target to open a document.

Unfortunately, for many users and organizations, patching appears to be more difficult than it might seem from the ivory towers of security bloggers. What's more, malicious emails have long been disguising themselves as emails that explicitly do not come from strangers, thus making the opening of the attached documents a seemingly safe thing to do.

As a result, over the past five years CVE-2012-0158 has been used in APT attacks, in attacks against civil society and, as recently as three months ago, in a large spam campaign.

 

 

But CVE-2012-0158 may have finally found a successor in CVE-2017-0199, another vulnerability in Microsoft Office. The first known exploit of this vulnerability was used in the wild in November last year, and samples exploiting what was still a zero-day vulnerability were written about by security firms in April of this year. A few days later, on 10 April, the exploit was used in a large campaign spreading the Dridex trojan (a rare case of a zero-day exploit being used in the wild on a large scale) before Microsoft released a patch for the vulnerability a day later.

According to Sophos researcher Gabor Szappanos, who has written a paper on CVE-2017-0199, more than three quarters of malicious office documents now use this exploit, with CVE-2012-0158 a very distant second. (Note that this does not include Office documents with malicious macros embedded in them; the only vulnerability these exploit are gullible humans.)

 

officeexploitusage2017.png

In the paper, Gabor looks at the history of the exploit and how various groups have been using it. He also looks at how it found its way into Office exploit builders, rogue software toolkits that automate the creation of malicious exploits and that are commonly used in both APTs and cybercrminal attacks.

Gabor will present a paper on Office exploit builders at VB2017 in Madrid. He will analyse five such exploit builders, all of which are used to generate actual malware. Perhaps unsurprisingly, the only vulnerability that all five builders 'support' is CVE-2012-0158, which itself was the subject of a VB conference paper in 2013 (pdf). No doubt, by the time Gabor presents his paper in October, CVE-2017-0199 will feature just as prominently, if not more so.

Join Gabor and more than 50 other security experts from around the world for VB2017 in Madrid. Register before the end of June to quality for a 10% Early Bird discount. A number of sponsor opportunities are still available.

VB2017-325w.jpg

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VBSpam tests to be executed under the AMTSO framework

VB is excited to announce that, starting from the Q3 test, all VBSpam tests of email security products will be executed under the AMTSO framework.

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.