9.3 - VU#921560

Executive Summary

Summary
Title	Microsoft OLE URL Moniker improperly handles remotely-linked HTA data

Informations
Name	VU#921560	First vendor Publication	2017-04-10
Vendor	VU-CERT	Last vendor Modification	2017-04-13
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	9.3	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#921560

Microsoft OLE URL Moniker improperly handles remotely-linked HTA data

Original Release date: 10 Apr 2017 | Last revised: 13 Apr 2017

Overview

Microsoft OLE uses the URL Moniker to open application data based on the server-provided MIME type, which can allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.

Description

Microsoft OLE uses the URL Moniker to processes remotely-linked content in a vulnerable manner. The remote content is opened based on the application associated with the server-provided MIME type. Some MIME types are dangerous, as they can result in code execution. For example, the application/hta mime type is associated with mshta.exe. Opening arbitrary HTA content is equivalent to executing arbitrary code. This vulnerability is reportedly being exploited in the wild. The exploits used in the wild have the following characteristics:

The document that triggers the URL Moniker vulnerability is an RTF document that masquerades as a Microsoft Word DOC file.
The exploit connects to a remote server to obtain an execute an HTA file, which contains VBScript to be executed by the client.

Note that depending on the nature of the vulnerability, it may be possible to target Microsoft Windows components other than Microsoft Word. This vulnerability reportedly affects all versions of Microsoft Office, including Office 2016 on Windows 10. It is also reported that Microsoft Office Protected View can help prevent exploitation without user interaction.

This vulnerability is reportedly being exploited in the wild.

Impact

By convincing a user to open a specially-crafted document, an unauthenticated remote attacker may be able to execute arbitrary code on a vulnerable system.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds;

Apply an update

This issue is addressed in the following Microsoft Security update: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
Please refer to this document and install all relevant updates for both Microsoft Windows and Microsoft Office.

Note: Even with these updates, remotely-linked OLE content is still retrieved and saved according to server-provided MIME type before any user interaction if the document is not in Protected Mode. The update prevents HTA content from being executed after it has been retrieved in such a manner.

Disable the application/hta MIME handler

This exploit appears to be blocked by disabling the MIME handler for application/hta. The handler for this MIME type can be overridden with the "plain text" handler using the following registry value:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/hta]

"CLSID"="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

Block RTF documents in Microsoft Word

Exploits in the wild utilize RTF documents. RTF documents can be blocked in Microsoft Word by using the File Block Settings in the Microsoft Office Trust Center. For example, the following registry values can be used to block the opening of RTF documents in Word 2016:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\FileBlock]

"OpenInProtectedView"=dword:00000000

"RtfFiles"=dword:00000002

For other versions of Office, the path above will need to be modified to match the version number associated with the installed version of Office.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Microsoft Corporation	Affected	-	10 Apr 2017

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal	6.8	E:F/RL:W/RC:C
Environmental	6.8	CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html
https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/
https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/
https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/
https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653
https://support.office.com/en-us/article/What-is-File-Block-10d0e0ab-fecf-4605-befd-1e6563e7686d

Credit

Public exploitation of this vulnerability was reported by McAfee and FireEye.

This document was written by Will Dormann.

Other Information

CVE IDs:CVE-2017-0199
Date Public:07 Apr 2017
Date First Published:10 Apr 2017
Date Last Updated:13 Apr 2017
Document Revision:63

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/921560

CPE : Common Platform Enumeration

Type	Description	Count
Application	Microsoft Office cpe:2.3:a:microsoft:office:2016:-:::::: cpe:2.3:a:microsoft:office:2013:sp1:::::: cpe:2.3:a:microsoft:office:2010:sp2:::::: cpe:2.3:a:microsoft:office:2007:sp3::::::	4
Application	Philips Intellispace Portal cpe:2.3:a:philips:intellispace_portal:8.0:::::::* cpe:2.3:a:philips:intellispace_portal:7.0:::::::*	2
Os	Microsoft Windows 7 cpe:2.3:o:microsoft:windows_7:-:sp1::::::	1
Os	Microsoft Windows Server 2008 cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:::::: cpe:2.3:o:microsoft:windows_server_2008:-:sp2::::::	2
Os	Microsoft Windows Server 2012 cpe:2.3:o:microsoft:windows_server_2012:-:::::::*	1
Os	Microsoft Windows Vista cpe:2.3:o:microsoft:windows_vista:-:sp2::::::	1

SAINT Exploits

Description	Link
Microsoft Word and WordPad RTF HTA handler command execution	More info here

Snort® IPS/IDS

Date	Description
2020-01-16	Microsoft Word internal OLE object update attempt RuleID : 52482 - Revision : 1 - Type : INDICATOR-COMPROMISE
2020-01-16	Microsoft Word internal OLE object update attempt RuleID : 52481 - Revision : 1 - Type : INDICATOR-COMPROMISE
2018-02-22	Microsoft Word internal object auto update attempt RuleID : 45520 - Revision : 2 - Type : INDICATOR-COMPROMISE
2018-02-22	Microsoft Word internal object auto update attempt RuleID : 45519 - Revision : 2 - Type : INDICATOR-COMPROMISE
2017-05-16	RTF url moniker COM file download attempt RuleID : 42231 - Revision : 3 - Type : FILE-OFFICE
2017-05-16	RTF url moniker COM file download attempt RuleID : 42230 - Revision : 2 - Type : INDICATOR-COMPROMISE
2017-05-16	RTF url moniker COM file download attempt RuleID : 42229 - Revision : 2 - Type : INDICATOR-COMPROMISE
2017-05-11	RTF objautlink url moniker file download attempt RuleID : 42190 - Revision : 2 - Type : FILE-OFFICE
2017-05-11	RTF objautlink url moniker file download attempt RuleID : 42189 - Revision : 2 - Type : FILE-OFFICE

Nessus® Vulnerability Scanner

Date	Description
2017-10-20	Name : The remote Windows host is affected by an information disclosure vulnerability. File : smb_nt_ms17_apr_4014793.nasl - Type : ACT_GATHER_INFO
2017-04-12	Name : The remote Windows host is affected by multiple vulnerabilities. File : smb_nt_ms17_apr_4015549.nasl - Type : ACT_GATHER_INFO
2017-04-12	Name : An application installed on the remote Windows host is affected by multiple v... File : smb_nt_ms17_apr_office.nasl - Type : ACT_GATHER_INFO
2017-04-11	Name : The remote Windows host is affected by multiple vulnerabilities. File : smb_nt_ms17-apr_4015551.nasl - Type : ACT_GATHER_INFO
2017-03-20	Name : The remote Windows host is affected by multiple vulnerabilities. File : ms17-010.nasl - Type : ACT_GATHER_INFO
2017-03-15	Name : The remote Windows host is affected by multiple vulnerabilities. File : smb_nt_ms17-010.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2017-06-29 13:23:35	Multiple Updates
2017-04-21 00:24:52	Multiple Updates
2017-04-13 21:22:18	Multiple Updates
2017-04-13 17:20:58	Multiple Updates
2017-04-13 05:19:47	Multiple Updates
2017-04-12 21:20:52	Multiple Updates
2017-04-12 21:18:43	Multiple Updates
2017-04-12 00:24:38	Multiple Updates
2017-04-11 17:23:58	Multiple Updates
2017-04-11 05:20:35	Multiple Updates
2017-04-10 21:23:55	First insertion

Global Informations

Type	Count
CPE ID(s)	11
Saint Exploit(s)	1
Snort® Rule(s)	9
Nessus® Exploit(s)	6

	Related
7.8	CVE-2017-0199
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)