Hackers are still using these old security flaws in Microsoft Office. Make sure you've patched them

'Malware authors still achieve their aims by relying on aging vulnerabilities,' warn security researchers.
Written by Danny Palmer, Senior Writer

Concept photo in high contrast black and white of hacker's fingers on keyboard

Getty Images

Cyber criminals are exploiting security vulnerabilities in Microsoft Office which have been known about for years to infect PCs with malware in attacks which demonstrate the importance of applying cybersecurity updates. 

As detailed by cybersecurity researchers at Fortinet, cyber criminals are taking advantage of the unpatched security flaws to deliver SmokeLoader, a form of malware which is installed on Windows machines with the intention of using it to deliver additional malware, including Trickbot and various backdoors and trojan malware

Both vulnerabilities are almost five years old, but the fact they're being used to distribute SmokeLoader demonstrates that they're still effective. 

The first is CVE-2017-0199, a vulnerability in Microsoft Office which first emerged in 2017 which allows attackers to download and execute PowerShell scripts on compromised networks, providing them with the ability to gain additional access to systems. 

The second is CVE-2017-11882, a stack buffer overflow vulnerability in Microsoft Office which enables remote code execution. Security patches for both vulnerabilities have been available since they were publicly disclosed, five years ago. 

Like many other malware campaigns, cyber criminals use phishing emails to coerce victims into falling for the attack. In this case, researchers detail how the phishing email asks the recipient to review a purchase order and shipping times in order to confirm if they're correct. The email attempts to look as legitimate as possible, including a full signature with related contact details. 

SEE: A winning strategy for cybersecurity (ZDNet special report) 

To see what's supposedly a purchase order, the user is asked to open a Microsoft Office document which has 'protections' in place. The user is asked to enable editing in order to see it, and it's this which allows the malicious document to execute the code required to exploit the vulnerabilities, infecting the victim device with malware. 

"While CVE-2017-0199 and CVE-2017-11882 were discovered in 2017, they are still being actively exploited in this and other malware campaigns," said James Slaughter, senior threat intelligence engineer at Fortinet. 

"This demonstrates that malware authors still achieve their aims by relying on aging vulnerabilities, often several years after coming to light, and banking on affected solutions not being fixed," he added. 

Unpatched security vulnerabilities remain one of the most common attack vectors for cyber criminals, many of which will actively scan the internet for vulnerable systems and servers. It's therefore vital that organisations apply security updates as quickly as possible in order to prevent malware attacks. 

Researchers note that SmokeLoader is used to deliver Trickbot. Trickbot is commonly used to deliver ransomware and other malicious cyber threats which could be extremely disruptive. The best way to avoid falling victim to SmokeLoader and other campaigns is to ensure that security patches are applied, especially as in this case, a fix has been available for years. 


Editorial standards