Vulnerability Note VU#921560
Microsoft OLE URL Moniker improperly handles remotely-linked HTA data
Microsoft OLE uses the URL Moniker to open application data based on the server-provided MIME type, which can allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.
Microsoft OLE uses the URL Moniker to processes remotely-linked content in a vulnerable manner. The remote content is opened based on the application associated with the server-provided MIME type. Some MIME types are dangerous, as they can result in code execution. For example, the application/hta mime type is associated with mshta.exe. Opening arbitrary HTA content is equivalent to executing arbitrary code. This vulnerability is reportedly being exploited in the wild. The exploits used in the wild have the following characteristics:
This vulnerability is reportedly being exploited in the wild.
By convincing a user to open a specially-crafted document, an unauthenticated remote attacker may be able to execute arbitrary code on a vulnerable system.
The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds;
Apply an update
Block RTF documents in Microsoft Word
Exploits in the wild utilize RTF documents. RTF documents can be blocked in Microsoft Word by using the File Block Settings in the Microsoft Office Trust Center. For example, the following registry values can be used to block the opening of RTF documents in Word 2016:
For other versions of Office, the path above will need to be modified to match the version number associated with the installed version of Office.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||-||10 Apr 2017|
CVSS Metrics (Learn More)
Public exploitation of this vulnerability was reported by McAfee and FireEye.
This document was written by Will Dormann.
- CVE IDs: CVE-2017-0199
- Date Public: 07 Apr 2017
- Date First Published: 10 Apr 2017
- Date Last Updated: 13 Apr 2017
- Document Revision: 63
If you have feedback, comments, or additional information about this vulnerability, please send us email.