CVE-2017-11882: five years of exploitation

We constantly emphasize how important it is to promptly install patches for vulnerabilities in software that is most often being exploited in cyberattacks — operating systems, browsers and office applications. Here is a good illustration of this thesis: according to our statistics on vulnerabilities, the most commonly exploited in the attacks on our customers, CVE-2017-11882 in Microsoft Office is still quite popular among the cybercriminals. And that is despite the fact that the update that fixes this vulnerability was released back in November 2017! Such lasting popularity of CVE-2017-11882 can only mean that someone hadn’t installed patches for the Microsoft office for more than five years.

What is CVE-2017-11882 vulnerability?

CVE-2017-11882 is a RCE vulnerability in the equation editor from the Microsoft Office and it is associated with a failure to handle objects in RAM. To exploit the vulnerability, an attacker must create a malicious file and somehow convince the victim to open it. Most often, such file is sent by e-mail or is hosted on a compromised site.

Successful exploitation of the CVE-2017-11882 vulnerability allows an attacker to execute arbitrary code with the privileges of the user who opened the malicious file. Thus, if the victim has administrator rights, the attacker will be able to take full control of his system — install programs; view, modify or destroy data; and even create new accounts.

At the end of 2017, when information about the vulnerability was first published, there were no attempts to exploit it. But in under a week, a proof of concept (PoC) appeared on the Internet, and attacks using CVE-2017-11882 began over the next few days.

In 2018, it became one of the most exploited vulnerabilities in Microsoft Office. In 2020, during the Covid-19 pandemic, CVE-2017-11882 was actively used in malicious mailouts that exploited the topic of disrupted deliveries due to the medical restrictions. And now, in 2023, this vulnerability apparently still serves malefactors’ purposes!

How to stay safe

Of course, CVE-2017-11882 is not the only vulnerability that has been used in attacks for many years. And not even the most dangerous of them. It is surprising, however, that despite its relative popularity (quite a lot was written about it back in 2017), as well as the availability of updates and more recent versions of MS Office, someone is still using vulnerable versions of the office suite.

So, first of all we recommend all companies that use Microsoft Office to make sure that they are working with the patched version of the suite. It is also usually a good idea to monitor new releases of security patches and install them timely. The rest of the advice is pretty standard:

• avoid working with office documents with administrator rights;
• do not open documents sent by unknown persons and for unknown reasons;
• use security solutions that can stop the exploitation of vulnerabilities.

Kaspersky Endpoint Security for Business detects and blocks exploitation attempts of all known vulnerabilities (including this one), as well as yet undiscovered ones.