CVE-2017-11826

What Is Microsoft Office?

Microsoft Office's document processing components — Word, Excel, PowerPoint — parse complex binary and XML-based document formats (OOXML: .docx, .xlsx, .pptx) using extensive parsing code in the Office core libraries. The complexity of Office document parsing, combined with the rich feature set (embedded objects, field codes, font rendering, graphics processing), creates a sustained source of memory corruption vulnerabilities. CVE-2017-11826 is a memory corruption vulnerability in Office's object handling during document parsing, patched in October 2017.

Overview

CVE-2017-11826 is a memory corruption vulnerability in Microsoft Office that occurs when processing malformed document objects. An attacker can exploit this vulnerability by delivering a crafted Office document to a target — typically via phishing — and convincing the user to open it. Successful exploitation executes arbitrary code in the context of the current user. Patched in the October 2017 Patch Tuesday. The vulnerability was observed in targeted attacks, particularly by threat actors associated with East Asian espionage campaigns, before and shortly after the patch release. CISA added CVE-2017-11826 to the KEV catalog in March 2022.

Affected Versions

Technical Details

Root Cause: Memory Corruption in Office Object Processing

CVE-2017-11826 is a memory buffer vulnerability (CWE-119) in the Microsoft Office document processing engine. When Office parses a specially crafted OOXML document containing a malformed embedded object structure, the object lifecycle management code fails to properly validate object metadata or buffer sizes, resulting in memory corruption. The corruption can be controlled by the attacker to overwrite function pointers or object vtables, redirecting code execution to attacker-controlled shellcode.

Exploitation pattern:

• Attacker delivers a weaponized Office document via email phishing or web delivery
• The document contains a malformed object structure that triggers the memory corruption on open
• Shellcode executes in the context of the logged-in user
• The attack typically delivers a backdoor or RAT for persistent access

Targeted attack use: CVE-2017-11826 was observed in targeted intrusions attributed to East Asian threat actors, particularly groups conducting espionage against government, defense, and financial targets. The targeted nature (rather than mass phishing) reflects that the vulnerability was exploited by sophisticated actors who possessed or developed reliable exploit code before broad disclosure.

Attack Characteristics

Discovery

Reported to Microsoft through coordinated disclosure and patched in October 2017. Post-patch analysis revealed the vulnerability had been exploited in targeted attacks before disclosure.

Exploitation Context

• Pre-patch targeted exploitation: CVE-2017-11826 was observed in spear-phishing campaigns against high-value targets in the period around its disclosure — suggesting the vulnerability was acquired or discovered by threat actors before the patch
• East Asian APT attribution: Security researchers attributed exploitation of CVE-2017-11826 to APT groups operating out of East Asia, consistent with the targeted nature of the attacks and the types of organizations targeted (government, defense, financial)
• Office exploitation ecosystem: CVE-2017-11826 is one of many Office memory corruption vulnerabilities in the 2017 patch cycle — alongside CVE-2017-0199 (RTF HTA), CVE-2017-11882 (Equation Editor), and CVE-2017-8570/8759 (script injection); collectively these made Office document-based phishing among the most effective initial access vectors of 2017
• CISA KEV (2022): Added March 2022 in a batch of Office vulnerabilities with confirmed exploitation history

Remediation

1. Apply October 2017 Office security update — install the October 10, 2017 security update for all Microsoft Office versions (2007, 2010, 2013, 2016).

2. Enable Office Protected View — Protected View opens email attachments and downloaded documents in a sandboxed read-only mode that prevents memory corruption exploitation from triggering code execution.

3. Enable Attack Surface Reduction rules — the ASR rule "Block Office applications from creating child processes" prevents shellcode from launching payloads even if the memory corruption fires.

4. Email gateway filtering — scan inbound email attachments for Office documents with anomalous structure; sandbox detonation of Office attachments before delivery catches exploitation attempts.

5. Upgrade to Office 365 / Microsoft 365 — cloud-connected Office versions receive security updates automatically and more frequently; users on perpetual-license Office versions (2007-2016) must manually apply updates and may not receive all security improvements.