Usually, when someone discovers an exploit for a program, a hotfix is released to patch it. This lifecycle gives these exploits a relatively short lifespan between its discovery and its fix. As such, it’s very unusual for an old flaw for a popular program to still be making the rounds, especially after a patch is released to fix it.
This is why it’s so notable that an old exploit of Microsoft Office is still circling the Internet. It even became the third most prevalent attack in 2018. The problem is, this exploit was fixed back in 2017, and it’s still doing damage to this day!
What Is the Exploit?
The exploit has the somewhat hard-to-say name “CVE-2017-11882.” It exploited a part of Office which didn’t correctly handle the memory given to it; Using this exploit, a hacker could force Office to run the code. Even worse, if the victim had administrative rights, the exploit could be used to take control of the computer itself.
For the exploit to attack a copy of Office, the hacker needs to convince a user to open an infected file within Word. This means that exploit spreads best through scams that make the user curious enough to open the infected text file. The hackers can set up fake websites that contain the document and claim it’s a vital document or send out emails asking the user to download the file – typically by claiming it’s imperative to read now.
How Does the New Exploit Campaign Work?
An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction. pic.twitter.com/Ac6dYG9vvw
— Microsoft Security Intelligence (@MsftSecIntel) June 7, 2019
This new wave of attacks see emails being sent out in a European language, with an RTF file attached to them. If the user downloads and opens the file, it executes code that downloads and runs scripts. These scripts open a backdoor within Office, which then opens up a connection to a command center.
Why Is It Back?
As for why the attackers are repeating an exploit that was “fixed” in 2017, it’s uncertain what inspired this specific wave of attacks. It may be due to how attacks of this nature are still successful two years after the fix release date, and as such are a “safe bet” for hackers to target.
“The CVE-2017-11882 vulnerability was fixed in 2017, but to this day, we still observe the exploit in attacks,” said Microsoft on their Twitter account. “Notably, we saw increased activity in the past few weeks. We strongly recommend applying security updates.”
How to Fix the Exploit
As the tweet above mentioned, the fix has been available for years. Unfortunately, this fix wasn’t fully rolled out, even to this day. There’s the potential for a debate on whether this is Microsoft’s fault for not distributing the fix “properly” or the user’s for skipping over this update that’s been ready for two years. But all that matters now is that you should update your Office software immediately.
To do this, open an Office application like Word. On the top menu click on “Help,” then “Check for Updates.” Office should then search for and download any missing updates, including the fix for the above problem if you don’t have it already.
Old Hacks Die Hard
The recent wave of Office-based attacks is an odd one, as it’s a problem that “should have” gone away two years ago. If you can’t remember the last time you updated Office, give it a quick check to make sure you have the patch.
What’s the best way to stop these old exploits from repeatedly occurring within software? Let us know below.