Is CVE-2017-0199 the new CVE-2012-0158?

Posted by   Martijn Grooten on   Jun 20, 2017

There are two good reasons not to be concerned about CVE-2012-0158, an RTF handling vulnerability in Microsoft Office. First, the vulnerability was patched more than five years ago, so if you follow good security practices and patch regularly, you won't have to worry about it. Secondly, if you are following those good security practices, you won't be likely to open email attachments sent by strangers: CVE-2012-0158 requires the target to open a document.

Unfortunately, for many users and organizations, patching appears to be more difficult than it might seem from the ivory towers of security bloggers. What's more, malicious emails have long been disguising themselves as emails that explicitly do not come from strangers, thus making the opening of the attached documents a seemingly safe thing to do.

As a result, over the past five years CVE-2012-0158 has been used in APT attacks, in attacks against civil society and, as recently as three months ago, in a large spam campaign.



But CVE-2012-0158 may have finally found a successor in CVE-2017-0199, another vulnerability in Microsoft Office. The first known exploit of this vulnerability was used in the wild in November last year, and samples exploiting what was still a zero-day vulnerability were written about by security firms in April of this year. A few days later, on 10 April, the exploit was used in a large campaign spreading the Dridex trojan (a rare case of a zero-day exploit being used in the wild on a large scale) before Microsoft released a patch for the vulnerability a day later.

According to Sophos researcher Gabor Szappanos, who has written a paper on CVE-2017-0199, more than three quarters of malicious office documents now use this exploit, with CVE-2012-0158 a very distant second. (Note that this does not include Office documents with malicious macros embedded in them; the only vulnerability these exploit are gullible humans.)



In the paper, Gabor looks at the history of the exploit and how various groups have been using it. He also looks at how it found its way into Office exploit builders, rogue software toolkits that automate the creation of malicious exploits and that are commonly used in both APTs and cybercrminal attacks.

Gabor will present a paper on Office exploit builders at VB2017 in Madrid. He will analyse five such exploit builders, all of which are used to generate actual malware. Perhaps unsurprisingly, the only vulnerability that all five builders 'support' is CVE-2012-0158, which itself was the subject of a VB conference paper in 2013 (pdf). No doubt, by the time Gabor presents his paper in October, CVE-2017-0199 will feature just as prominently, if not more so.

Join Gabor and more than 50 other security experts from around the world for VB2017 in Madrid. Register before the end of June to quality for a 10% Early Bird discount. A number of sponsor opportunities are still available.




Latest posts:

The spam that is hardest to block is often the most damaging

We see a lot of spam in the VBSpam test lab, and we also see how well such emails are being blocked by email security products. Worryingly, it is often the emails with a malicious attachment or a phishing link that are most likely to be missed.

Throwback Thursday: We're all doomed

Mydoom turns 15 this month, and is still being seen in email attachments. This Throwback Thursday we look back to March 2004, when Gabor Szappanos tracked the rise of W32/Mydoom.

VB2019 call for papers - now open!

Have you analysed a new online threat? Do you know a new way to defend against such threats? Are you tasked with securing systems and fending off attacks? The call for papers for VB2019 is now open and we want to hear from you!

VB2018 paper: Unpacking the packed unpacker: reversing an Android anti-analysis library

Today, we publish a VB2018 paper by Google researcher Maddie Stone in which she looks at one of the most interesting anti-analysis native libraries in the Android ecosystem. We also release the recording of Maddie's presentation.

VB2018 paper: Draw me like one of your French APTs – expanding our descriptive palette for cyber threat actors

Today, we publish the VB2018 paper by Chronicle researcher Juan Andres Guerrero-Saade, who argues we should change the way we talk about APT actors.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.