Vulnerability Note VU#921560
Microsoft OLE URL Moniker improperly handles remotely-linked HTA data
Microsoft OLE uses the URL Moniker to open application data based on the server-provided MIME type, which can allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.
Microsoft OLE uses the URL Moniker to processes remotely-linked content in a vulnerable manner. The remote content is opened based on the application associated with the server-provided MIME type. Some MIME types are dangerous, as they can result in code execution. For example, the application/hta mime type is associated with mshta.exe. Opening arbitrary HTA content is equivalent to executing arbitrary code. This vulnerability is reportedly being exploited in the wild. The exploits used in the wild have the following characteristics:
This vulnerability is reportedly being exploited in the wild.
By convincing a user to open a specially-crafted document, an unauthenticated remote attacker may be able to execute arbitrary code on a vulnerable system.
The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds;
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||-||10 Apr 2017|
CVSS Metrics (Learn More)
Public exploitation of this vulnerability was reported by McAfee and FireEye.
This document was written by Will Dormann.
- CVE IDs: CVE-2017-0199
- Date Public: 07 Apr 2017
- Date First Published: 10 Apr 2017
- Date Last Updated: 13 Apr 2017
- Document Revision: 63
If you have feedback, comments, or additional information about this vulnerability, please send us email.