Is CVE-2017-0199 the new CVE-2012-0158?

Posted by   Martijn Grooten on   Jun 20, 2017

There are two good reasons not to be concerned about CVE-2012-0158, an RTF handling vulnerability in Microsoft Office. First, the vulnerability was patched more than five years ago, so if you follow good security practices and patch regularly, you won't have to worry about it. Secondly, if you are following those good security practices, you won't be likely to open email attachments sent by strangers: CVE-2012-0158 requires the target to open a document.

Unfortunately, for many users and organizations, patching appears to be more difficult than it might seem from the ivory towers of security bloggers. What's more, malicious emails have long been disguising themselves as emails that explicitly do not come from strangers, thus making the opening of the attached documents a seemingly safe thing to do.

As a result, over the past five years CVE-2012-0158 has been used in APT attacks, in attacks against civil society and, as recently as three months ago, in a large spam campaign.



But CVE-2012-0158 may have finally found a successor in CVE-2017-0199, another vulnerability in Microsoft Office. The first known exploit of this vulnerability was used in the wild in November last year, and samples exploiting what was still a zero-day vulnerability were written about by security firms in April of this year. A few days later, on 10 April, the exploit was used in a large campaign spreading the Dridex trojan (a rare case of a zero-day exploit being used in the wild on a large scale) before Microsoft released a patch for the vulnerability a day later.

According to Sophos researcher Gabor Szappanos, who has written a paper on CVE-2017-0199, more than three quarters of malicious office documents now use this exploit, with CVE-2012-0158 a very distant second. (Note that this does not include Office documents with malicious macros embedded in them; the only vulnerability these exploit are gullible humans.)



In the paper, Gabor looks at the history of the exploit and how various groups have been using it. He also looks at how it found its way into Office exploit builders, rogue software toolkits that automate the creation of malicious exploits and that are commonly used in both APTs and cybercrminal attacks.

Gabor will present a paper on Office exploit builders at VB2017 in Madrid. He will analyse five such exploit builders, all of which are used to generate actual malware. Perhaps unsurprisingly, the only vulnerability that all five builders 'support' is CVE-2012-0158, which itself was the subject of a VB conference paper in 2013 (pdf). No doubt, by the time Gabor presents his paper in October, CVE-2017-0199 will feature just as prominently, if not more so.

Join Gabor and more than 50 other security experts from around the world for VB2017 in Madrid. Register before the end of June to quality for a 10% Early Bird discount. A number of sponsor opportunities are still available.




Latest posts:

Firefox 59 to make it a lot harder to use data URIs in phishing attacks

Firefox developer Mozilla has announced that, as of version 59 of the browser, many kinds of data URIs, which provide a way to create "domainless web content", will not be rendered in the browser, thus making this trick - used in various phishing…

Standalone product test: FireEye Endpoint

Virus Bulletin ran a standalone test on FireEye's Endpoint Security solution.

VB2017 video: Consequences of bad security in health care

Jelena Milosevic, a nurse with a passion for IT security, is uniquely placed to witness poor security practices in the health care sector, and to fully understand the consequences. Today, we publish the recording of a presentation given by Jelena at…

Vulnerabilities play only a tiny role in the security risks that come with mobile phones

Both bad news (all devices were pwnd) and good news (pwning is increasingly difficult) came from the most recent mobile Pwn2Own competition. But the practical security risks that come with using mobile phones have little to do with vulnerabilities.

VB2017 paper: The (testing) world turned upside down

At VB2017 in Madrid, industry veteran and ESET Senior Research Fellow David Harley presented a paper on the state of security software testing. Today we publish David's paper in both HTML and PDF format.