Executive Risk Summary
"This vulnerability allows remote attackers to execute arbitrary code via a crafted document, potentially leading to system compromise. The vulnerability affects various Microsoft Office and Windows versions, including Office 2007, 2010, 2013, and 2016, as well as Windows Vista, Server 2008, 7, and 8.1."
Anticipated Attack Path
- 1. Initial Exploitation: Attacker sends a crafted document to the victim
- 2. Code Execution: Malicious code is executed on the victim's system
- 3. Post-Exploitation: Attacker gains control over the compromised system
Am I Vulnerable?
- Verify if Microsoft Office and Windows systems are up-to-date with the latest security patches
- Check for suspicious document attachments and emails
- Monitor system logs for signs of exploitation
Operational Audit Arsenal
Target Type Process
Target Asset winword.exe
Standard Path C:\Program Files\Microsoft Office\Root\Office16
PowerShell
# 🛠️ Senior Engineer Universal Audit
# Target: winword.exe (Process)
$Targets = 'winword.exe'
$SearchPaths = @("$env:windir\System32", "$env:ProgramFiles", "${env:ProgramFiles(x86)}")
Get-ChildItem -Path $SearchPaths -Include $Targets -Recurse -ErrorAction SilentlyContinue |
Select-Object FullName, @{Name="Version";Expression={$_.VersionInfo.ProductVersion}}Patch Impact Forecast
Reboot Required Likely
Minimal to Moderate
Internal Work Notes
CVE-2017-0199: Microsoft Office/WordPad Remote Code Execution Vulnerability - Apply security patches to prevent arbitrary code execution via crafted documents.
Technical Intelligence & Operational Utilities • Delivered Weekly
Intelligence Sources
Official Advisoryhttp://rewtin.blogspot.nl/2017/04/cve-2017-0199-practical-exploitation-poc.html
Official Advisoryhttp://www.securityfocus.com/bid/97498
Official Advisoryhttp://www.securitytracker.com/id/1038224
Official Advisoryhttps://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/
Official Advisoryhttps://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
MSRC Advisoryhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
Official Advisoryhttps://www.exploit-db.com/exploits/41894/
Official Advisoryhttps://www.exploit-db.com/exploits/41934/
Official Advisoryhttps://www.exploit-db.com/exploits/42995/
Official Advisoryhttps://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html
Official Advisoryhttps://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/
Official Advisoryhttp://rewtin.blogspot.nl/2017/04/cve-2017-0199-practical-exploitation-poc.html
Official Advisoryhttp://www.securityfocus.com/bid/97498
Official Advisoryhttp://www.securitytracker.com/id/1038224
Official Advisoryhttps://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/
Official Advisoryhttps://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
MSRC Advisoryhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
Official Advisoryhttps://www.exploit-db.com/exploits/41894/
Official Advisoryhttps://www.exploit-db.com/exploits/41934/
Official Advisoryhttps://www.exploit-db.com/exploits/42995/
Official Advisoryhttps://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html
Official Advisoryhttps://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/
Official Advisoryhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0199
Related Microsoft Threats
Data compiled from NVD, MSRC, and CISA KEV Catalog. Intelligence synthesized via AI. Scripts provided for diagnostic purposes under MIT License.