Microsoft OLE uses the URL Moniker to open application data based on the server-provided MIME type, which can allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.
Microsoft OLE uses the URL Moniker to processes remotely-linked content in a vulnerable manner. The remote content is opened based on the application associated with the server-provided MIME type. Some MIME types are dangerous, as they can result in code execution. For example, the application/hta mime type is associated with mshta.exe. Opening arbitrary HTA content is equivalent to executing arbitrary code. This vulnerability is reportedly being exploited in the wild. The exploits used in the wild have the following characteristics:
This vulnerability is reportedly being exploited in the wild.
By convincing a user to open a specially-crafted document, an unauthenticated remote attacker may be able to execute arbitrary code on a vulnerable system.
The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds;
Apply an update
Public exploitation of this vulnerability was reported by McAfee and FireEye.
This document was written by Will Dormann.
|Date First Published:||2017-04-10|
|Date Last Updated:||2017-04-13 15:14 UTC|