Stats & Trends
David Bisson
Aug 2018

The 5 Microsoft Office Zero-Days Behind a Surge in Recent Attacks


Over the course of the past year, several Microsoft Office zero-day vulnerabilities came to light. Bad actors have seized upon these weaknesses and are now using them to prey upon users and organizations alike.

Exploits are valuable commodities among bad actors. Unlike social engineering, exploits don’t require human interaction, though malefactors do sometimes deploy them with the help of phishing emails earlier in the infection chain. Exploits are simple because they take advantage of a software bug or vulnerability; this security weakness gives attackers their opening.

When it comes to exploit popularity, attack code that takes advantage of Microsoft Office flaws is always in high demand. This preference at least partly reflects Microsoft Office’s ubiquity. People use the platform across a variety of computing devices, and some of those users are bound to be running outdated versions of Word and Excel.

As a result, when Microsoft Office vulnerabilities are discovered, it’s never long before exploits pop up and get incorporated into a wide variety of attack campaigns. In the best cases, security researchers discover the vulnerabilities and provide Microsoft with enough time to address them with a patch before they’re responsibly disclosed to the public. Occasionally, however, vulnerabilities aren’t brought to light until they’re observed being exploited by attackers in the wild. In these cases, the vulnerabilities are referred to as “zero days” because they’ve been exploited before the vendor has had the opportunity to learn of and fix them.

In 2017, there were at least eight zero-day vulnerabilities affecting Office products that researchers spotted being actively exploited in the wild. Thus far in 2018, there have been two more. This influx of new Office vulnerabilities, combined with the emergence of criminal utilities like ThreadKit that make it easy for criminals to build Office documents that exploit them, has helped fuel an explosion of attacks leveraging Office exploits.


Types of exploits used in attacks in Q1 2018. Source: Kaspersky Lab

In Q1 2018, Russian digital security firm Kaspersky Lab observed a fourfold increase in such attacks over the previous year. During that same time frame, threat intelligence provider Recorded Future noted that seven of the 10 most exploited vulnerabilities in 2017 targeted Microsoft products.

To better understand the popularity of these exploits and how they’re being utilized in attacks, here is an examination of the 10 most recently discovered zero-day Office vulnerabilities, five of which continue to be widely abused in the wild.

CVE-2017-0199 and CVE-2017-8570

  • Vulnerabilities in the Office Object Linking and Embedding (OLE) interface
  • Patched: April 11, 2017 (CVE-2017-0199) and June 11, 2017 (CVE-2017-8570)

According to Recorded Future, CVE-2017-0199 was the most widely used exploited vulnerability in 2017. First discovered being used by bad actors to distribute LatentBot and FinFIsher malware, it’s a vulnerability in the Office Object Linking and Embedding (OLE) interface that allows attackers to load malicious scripts via Rich Text File (RTF) and PowerPoint documents. Once notified, Microsoft patched the flaw on April 11, 2017. Even still, attackers have continued to incorporate it into phishing campaigns to distribute malware such as the REMCOS RAT and, most recently, the FELIXROOT backdoor in a July 2018 attack.

Unfortunately, attackers found a way to bypass Microsoft’s patch for CVE-2017-0199 via another flaw, CVE-2017-8570. The Redmond-based tech giant patched this issue on June 11, 2017, but that hasn’t stopped bad actors from also abusing it to distribute malware like LokiBot and Formbook.

CVE-2017-11882 and CVE-2018-0802

As with CVE-2017-0199 and CVE-2017-8570, exploits targeting these vulnerabilities have gained widespread adoption in malware campaigns. CVE-2017-11882 constitutes a stack buffer overflow flaw in Microsoft Equation Editor. It enables attackers to achieve remote code execution on vulnerable systems. Patched on November 14, 2017, the flaw continued to be widely exploited even after losing its zero-day status, factoring into a variety of campaigns distributing Formbook, Loki, and FELIXROOT, among other malware.  

CVE-2018-0802 was disclosed after attackers were discovered bypassing the patch for CVE-2017-11882. Microsoft resolved the issue by officially killing off Equation Editor on January 9, 2018. Even so (there’s a pattern here), attackers have continued to use malicious RTF documents to exploit the vulnerability in unpatched systems to spread Lokibot and other threats.


  • Vulnerability in the VBScript engine
  • Initially patched on May 8, 2018, new patch issued in July to address bugs under new identifier CVE-2018-8242

The fifth vulnerability that continues to be actively incorporated into attacks, CVE-2018-8174, affects the VBScript engine and gives attackers the opportunity to download payloads by loading and rendering a web page inside of an RTF document. The security team at Microsoft released a patch for the zero-day vulnerability on May 8, 2018, after researchers at Kaspersky and the Chinese security firm Qihoo360 Core spotted it being exploited in the wild. Again, releasing a patch has not stopped attackers from increasingly leveraging the bug and incorporating it into both the RIG exploit kit as well as the ThreadKit exploit builder.

In July, Qihoo 360 Core researchers notified Microsoft of two issues that could allow attackers to continue exploiting the flaw despite its patch. Microsoft responded by issuing a new patch, but that fix introduced a memory performance bug, leaving organizations forced to choose between security and performance.

Other Office zero-day vulnerabilities disclosed in 2017

While the five vulnerabilities listed above have seen widespread utilization, they weren't the only zero-day Office vulnerabilities disclosed last year. 

CVE-2017-0261, CVE-2017-0262 and CVE-2017-0263

FireEye discovered these three previously unknown vulnerabilities in the Encapsulated PostScript (EPS) of Office products in March and April 2017. , According to FireEye, the Turla group and another unknown financially motivated threat actor abused CVE-2017-0261, a use-after-free vulnerability, to deliver custom JavaScript malware called “SHIRME.” Meanwhile, APT28 exploited CVE-2017-0262 and CVE-2017-0263 to deliver GAMEFISH malware and elevate privileges during the delivery of that threat. Microsoft was able to patch the flaws on May 9, 2017. No published reports of attackers exploiting the vulnerabilities have surfaced since.


This Office vulnerability, which was patched on September 12, 2017, allows attackers to inject code during the parsing of SOAP WSDL definition contents. Security researchers spotted several campaigns exploiting this bug prior to Microsoft’s patch. Most notably, malefactors used a malicious document to target Russian-speaking targets, in turn, downloaded several components and eventually a FinFisher payload. Since the patch, this vulnerability has not been widely used.  


Another zero-day vulnerability patched by Microsoft in 2017 (October), CVE-2017-11826 is unique in that it works only on systems running Office 2010 and earlier. Researchers at McAfee Labs analyzed an in-the-wild attack exploiting this flaw and found that the memory corruption vulnerability was triggered by an RTF document that came with three embedded objects. The first object loads a COM object that enables attackers to bypass ASLR and data execution prevention (DEP) on older Office versions. The second object employs a ActiveX.bin technique discovered in 2013. The third object triggers the memory corruption vulnerability. Thankfully, this vulnerability has also not seen widespread use since a patch was provided.

Blocking attack campaigns driven by Office vulnerabilities

To protect against the vulnerabilities identified above, among other exploits, organizations need to be capable of defending themselves against multiple attack vectors until the opportunity arises to patch. Find out how Barkly’s unique endpoint protection architecture provides it with deeper visibility than any other platform, allowing it to block exploit attempts other solutions miss. Learn more.
David Bisson

David Bisson

David Bisson is an infosec news junkie and security journalist. He works as Senior Content Manager, Associate Editor for Tripwire's "The State of Security" blog, Contributing Editor for IBM's Security Intelligence, and Contributing Writer for Barkly, Palo Alto Networks' Security Roundtable, Gemalto, Venafi, Zix Corp, AlienVault, and others.


Learn how to block Microsoft Office attacks

Our newest guide walks you though how to protect your company from malicious Word documents, Excel spreadsheets, and more.

Get the guide


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.