vulnerabilities CVE-2017-11882: five years of exploitation It means that some companies still have not installed MS Office patches that were published 5 years ago. Editorial Team August 8, 2023 We constantly emphasize how important it is to promptly install patches for vulnerabilities in software that is most often being exploited in cyberattacks — operating systems, browsers and office applications. Here is a good illustration of this thesis: according to our statistics on vulnerabilities, the most commonly exploited in the attacks on our customers, CVE-2017-11882 in Microsoft Office is still quite popular among the cybercriminals. And that is despite the fact that the update that fixes this vulnerability was released back in November 2017! Such lasting popularity of CVE-2017-11882 can only mean that someone hadn’t installed patches for the Microsoft office for more than five years. What is CVE-2017-11882 vulnerability? CVE-2017-11882 is a RCE vulnerability in the equation editor from the Microsoft Office and it is associated with a failure to handle objects in RAM. To exploit the vulnerability, an attacker must create a malicious file and somehow convince the victim to open it. Most often, such file is sent by e-mail or is hosted on a compromised site. Successful exploitation of the CVE-2017-11882 vulnerability allows an attacker to execute arbitrary code with the privileges of the user who opened the malicious file. Thus, if the victim has administrator rights, the attacker will be able to take full control of his system — install programs; view, modify or destroy data; and even create new accounts. At the end of 2017, when information about the vulnerability was first published, there were no attempts to exploit it. But in under a week, a proof of concept (PoC) appeared on the Internet, and attacks using CVE-2017-11882 began over the next few days. In 2018, it became one of the most exploited vulnerabilities in Microsoft Office. In 2020, during the Covid-19 pandemic, CVE-2017-11882 was actively used in malicious mailouts that exploited the topic of disrupted deliveries due to the medical restrictions. And now, in 2023, this vulnerability apparently still serves malefactors’ purposes! How to stay safe Of course, CVE-2017-11882 is not the only vulnerability that has been used in attacks for many years. And not even the most dangerous of them. It is surprising, however, that despite its relative popularity (quite a lot was written about it back in 2017), as well as the availability of updates and more recent versions of MS Office, someone is still using vulnerable versions of the office suite. So, first of all we recommend all companies that use Microsoft Office to make sure that they are working with the patched version of the suite. It is also usually a good idea to monitor new releases of security patches and install them timely. The rest of the advice is pretty standard: avoid working with office documents with administrator rights; do not open documents sent by unknown persons and for unknown reasons; use security solutions that can stop the exploitation of vulnerabilities. Kaspersky Endpoint Security for Business detects and blocks exploitation attempts of all known vulnerabilities (including this one), as well as yet undiscovered ones.
Read next How to avoid work-from-home scams How cybercriminals force victims to work for them with offers of easy money.
Tips How to set up security and privacy in Strava Want to keep your runs, rides, and hikes private on Strava? This guide will walk you through the essential privacy settings in this popular fitness app.
Tips Run for your data: Privacy settings in jogging apps Running apps know a lot about their users, so it’s worth setting them up to ensure your data doesn’t fall into the wrong hands. Here’s how.
Tips When you get a login code for an account you don’t have What to do if you receive a text with a two-factor authentication code from a service you’ve never registered for.
Tips School and cyberthreats Why cybersecurity in education is critical, and how to protect schools from attacks.