Is CVE-2017-0199 the new CVE-2012-0158?

Posted by   Martijn Grooten on   Jun 20, 2017

There are two good reasons not to be concerned about CVE-2012-0158, an RTF handling vulnerability in Microsoft Office. First, the vulnerability was patched more than five years ago, so if you follow good security practices and patch regularly, you won't have to worry about it. Secondly, if you are following those good security practices, you won't be likely to open email attachments sent by strangers: CVE-2012-0158 requires the target to open a document.

Unfortunately, for many users and organizations, patching appears to be more difficult than it might seem from the ivory towers of security bloggers. What's more, malicious emails have long been disguising themselves as emails that explicitly do not come from strangers, thus making the opening of the attached documents a seemingly safe thing to do.

As a result, over the past five years CVE-2012-0158 has been used in APT attacks, in attacks against civil society and, as recently as three months ago, in a large spam campaign.

 

 

But CVE-2012-0158 may have finally found a successor in CVE-2017-0199, another vulnerability in Microsoft Office. The first known exploit of this vulnerability was used in the wild in November last year, and samples exploiting what was still a zero-day vulnerability were written about by security firms in April of this year. A few days later, on 10 April, the exploit was used in a large campaign spreading the Dridex trojan (a rare case of a zero-day exploit being used in the wild on a large scale) before Microsoft released a patch for the vulnerability a day later.

According to Sophos researcher Gabor Szappanos, who has written a paper on CVE-2017-0199, more than three quarters of malicious office documents now use this exploit, with CVE-2012-0158 a very distant second. (Note that this does not include Office documents with malicious macros embedded in them; the only vulnerability these exploit are gullible humans.)

 

officeexploitusage2017.png

In the paper, Gabor looks at the history of the exploit and how various groups have been using it. He also looks at how it found its way into Office exploit builders, rogue software toolkits that automate the creation of malicious exploits and that are commonly used in both APTs and cybercrminal attacks.

Gabor will present a paper on Office exploit builders at VB2017 in Madrid. He will analyse five such exploit builders, all of which are used to generate actual malware. Perhaps unsurprisingly, the only vulnerability that all five builders 'support' is CVE-2012-0158, which itself was the subject of a VB conference paper in 2013 (pdf). No doubt, by the time Gabor presents his paper in October, CVE-2017-0199 will feature just as prominently, if not more so.

Join Gabor and more than 50 other security experts from around the world for VB2017 in Madrid. Register before the end of June to quality for a 10% Early Bird discount. A number of sponsor opportunities are still available.

VB2017-325w.jpg

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2019 preview: Exploring Emotet, an elaborate everyday enigma

We preview the VB2019 paper by Sophos researcher Luca Nagy, who dives deeply into the notorious Emotet malware.

VB2019 preview: A study of Machete cyber espionage operations in Latin America

Researchers from the Czech Technical University in Prague will present a very comprehensive overview of the Machete APT group.

AfricaHackon 2019: a great event and a reminder that security is global

Last week, VB Editor Martijn Grooten travelled to the Kenyan capital Nairobi to speak at the 6th edition of the AfricaHackon event.

Virus Bulletin researcher discovers new Lord exploit kit

Still in-development kit thus far only targets Flash Player vulnerabilities

VB2019 call for last-minute papers opened

The call for last-minute papers for VB2019 is now open. Submit before 1 September to have your abstract considered for one of the nine slots reserved for 'hot' research.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.