CVE-2017-0261
Published: 12 May 2017
Summary
CVE-2017-0261 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Office. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Deeper analysis
Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 contain a remote code execution vulnerability arising from improper handling of objects in memory. The flaw is tracked as CWE-416 and is distinct from the related issues CVE-2017-0262 and CVE-2017-0281. It received a CVSS 3.1 base score of 7.8 reflecting local attack vector, low attack complexity, and no required privileges.
An attacker can exploit the weakness by supplying a specially crafted document that triggers the memory-handling error when opened by a user. Successful exploitation grants arbitrary code execution in the context of the current user, yielding full control over confidentiality, integrity, and availability of the affected system.
Microsoft published an advisory at the MSRC portal that addresses CVE-2017-0261; practitioners should consult that guidance and apply the corresponding Office updates to eliminate the vulnerability. No additional details on in-the-wild exploitation campaigns are supplied in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-0617
Vulnerability details
Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a remote code execution vulnerability when the software fails to properly handle objects in memory, aka "Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0262 and…
more
CVE-2017-0281.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor-supplied Office updates that eliminate the memory-handling flaw (CWE-416) before a crafted document can be exploited.
Malicious-code protection mechanisms can inspect or sandbox incoming Office documents and block execution of the exploit payload.
Integrity verification of Office binaries and document files can detect unauthorized modification or substitution that would otherwise trigger the RCE flaw.