Executive Risk Summary
"This vulnerability allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory. The vulnerability affects Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016."
Anticipated Attack Path
- 1. Initial Exploitation: Attacker sends a malicious Office document to the victim
- 2. Privilege Escalation: Exploited code runs in the context of the current user
- 3. Lateral Movement: Attacker uses the exploited system to move laterally within the network
Am I Vulnerable?
- Verify that all Microsoft Office versions are up-to-date with the latest security patches
- Implement a robust email filtering solution to block malicious Office documents
- Use a memory-based exploit detection tool to identify potential exploitation attempts
Operational Audit Arsenal
Target Type Process
Target Asset winword.exe
Standard Path C:\Program Files\Microsoft Office\Root\Office16
PowerShell
# 🛠️ Senior Engineer Universal Audit
# Target: winword.exe (Process)
$Targets = 'winword.exe'
$SearchPaths = @("$env:windir\System32", "$env:ProgramFiles", "${env:ProgramFiles(x86)}")
Get-ChildItem -Path $SearchPaths -Include $Targets -Recurse -ErrorAction SilentlyContinue |
Select-Object FullName, @{Name="Version";Expression={$_.VersionInfo.ProductVersion}}Patch Impact Forecast
Reboot Required Unlikely
Minimal disruption expected, as the patch only updates the Microsoft Office components
Internal Work Notes
Apply the latest security patch for Microsoft Office to mitigate the Microsoft Office Memory Corruption Vulnerability (CVE-2017-11882)
Technical Intelligence & Operational Utilities • Delivered Weekly
Intelligence Sources
Official Advisoryhttp://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-without-macros-cve-2017-11882
Official Advisoryhttp://www.securityfocus.com/bid/101757
Official Advisoryhttp://www.securitytracker.com/id/1039783
Official Advisoryhttps://0patch.blogspot.com/2017/11/did-microsoft-just-manually-patch-their.html
Official Advisoryhttps://0patch.blogspot.com/2017/11/official-patch-for-cve-2017-11882-meets.html
Official Advisoryhttps://github.com/0x09AL/CVE-2017-11882-metasploit
Official Advisoryhttps://github.com/embedi/CVE-2017-11882
Official Advisoryhttps://github.com/rxwx/CVE-2017-11882
Official Advisoryhttps://github.com/unamer/CVE-2017-11882
MSRC Advisoryhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
Official Advisoryhttps://researchcenter.paloaltonetworks.com/2017/12/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/
Official Advisoryhttps://web.archive.org/web/20181104111128/https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about/
Official Advisoryhttps://www.exploit-db.com/exploits/43163/
Official Advisoryhttps://www.kb.cert.org/vuls/id/421280
Official Advisoryhttp://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-without-macros-cve-2017-11882
Official Advisoryhttp://www.securityfocus.com/bid/101757
Official Advisoryhttp://www.securitytracker.com/id/1039783
Official Advisoryhttps://0patch.blogspot.com/2017/11/did-microsoft-just-manually-patch-their.html
Official Advisoryhttps://0patch.blogspot.com/2017/11/official-patch-for-cve-2017-11882-meets.html
Official Advisoryhttps://github.com/0x09AL/CVE-2017-11882-metasploit
Official Advisoryhttps://github.com/embedi/CVE-2017-11882
Official Advisoryhttps://github.com/rxwx/CVE-2017-11882
Official Advisoryhttps://github.com/unamer/CVE-2017-11882
MSRC Advisoryhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
Official Advisoryhttps://researchcenter.paloaltonetworks.com/2017/12/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/
Official Advisoryhttps://web.archive.org/web/20181104111128/https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about/
Official Advisoryhttps://www.exploit-db.com/exploits/43163/
Official Advisoryhttps://www.kb.cert.org/vuls/id/421280
Official Advisoryhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-11882
Related Microsoft Threats
Data compiled from NVD, MSRC, and CISA KEV Catalog. Intelligence synthesized via AI. Scripts provided for diagnostic purposes under MIT License.