What Is Microsoft Office OLE Processing?
Microsoft Office supports OLE (Object Linking and Embedding) — a technology allowing Office documents to embed or link external objects including COM objects, HTML pages, scripts, and media. OLE moniker parsing is the mechanism Office uses to locate and instantiate linked external objects. CVE-2017-8570 is a "Composite Moniker" vulnerability — similar to CVE-2017-0199 (the March 2017 RTF zero-day), but using a different OLE mechanism that bypassed the CVE-2017-0199 patch. Both vulnerabilities allow a malicious Office document to execute a remote script without user interaction beyond opening the document.
Overview
CVE-2017-8570 is a remote code execution vulnerability in Microsoft Office caused by improper handling of OLE objects in memory. The vulnerability allows a crafted Office document to cause the application to execute arbitrary scripts when the document is opened. CVE-2017-8570 uses the "Composite Moniker" technique to chain OLE script execution — serving as a bypass for mitigations introduced after CVE-2017-0199. Fixed in the July 2017 Patch Tuesday security update. CISA added CVE-2017-8570 to the KEV catalog in February 2022 reflecting continued malicious document campaigns.
Affected Versions
Multiple Microsoft Office versions — see Microsoft Security Advisory for specific affected product versions including Office 2007, 2010, 2013, 2016, and Office 365.
Technical Details
Root Cause: Composite Moniker OLE Script Execution
CVE-2017-8570 is an improper input validation vulnerability (CWE-20) in Office's OLE object processing. The Composite Moniker technique chains two OLE moniker types together — using a CLSID moniker composed with a File or Script moniker — to cause Office to load and execute an external script file (HTA, VBScript, JScript) when the document is opened.
Relationship to CVE-2017-0199: CVE-2017-0199 used OLE2Link/HTA embedding in RTF documents to execute remote HTA scripts. After Microsoft patched CVE-2017-0199, researchers found that the Composite Moniker approach in CVE-2017-8570 provided an alternate path to the same outcome — script execution when Office processes OLE objects in documents. Both use the same attack model: send a document, victim opens it, script executes.
No macro required: Like CVE-2017-0199, exploitation requires no VBA macros and no macro approval from the user. Standard Office documents (Word, Excel, PowerPoint) can embed the malicious OLE object.
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Local (AV:L) — malicious document file delivered to user |
| User Interaction | Required — victim must open the document |
| Impact | Code execution as the logged-on user |
| No macros required | Exploits OLE object parsing, not VBA |
Exploitation Context
- Malicious document spear phishing: CVE-2017-8570 was actively used in spear phishing campaigns; attackers sent crafted Word/Excel documents to targets — opening the document was sufficient to execute the attacker's payload
- APT malware delivery: Multiple APT groups adopted CVE-2017-8570 as a document-based initial access vector, delivering Remote Access Trojans (RATs) and other malware via weaponized Office documents targeting government, financial, and defense sectors
- Post-CVE-2017-0199 persistence: Security teams that blocked .rtf files and applied CVE-2017-0199 patches found that CVE-2017-8570 provided an alternative via standard .doc/.docx/.pptx files
- CISA KEV (2022): Added February 25, 2022 reflecting persistent use of Office document-based code execution in targeted campaigns
Remediation
-
Apply July 2017 Office security updates — install the Microsoft security update for CVE-2017-8570 from the July 2017 Patch Tuesday (or any subsequent cumulative update); Office 365 with automatic updates should already be patched.
-
Enable Attack Surface Reduction (ASR) rules — Microsoft Defender for Endpoint's ASR rules specifically block Office-based exploitation techniques including OLE object injection; enable the "Block all Office applications from creating child processes" and "Block execution of potentially obfuscated scripts" rules.
-
Deploy Protected View — ensure Microsoft Office Protected View is enabled for files originating from the internet or email attachments; Protected View prevents OLE object execution until the user explicitly exits the sandbox.
-
Block macros and OLE content by policy — use Group Policy to block OLE activation from untrusted sources; the Office Trust Center's Trusted Locations and ActiveX/OLE blocking controls reduce the attack surface.
-
Email gateway filtering — configure email security gateways to strip or sandbox Office attachments before delivery; automated sandboxing of documents can detect CVE-2017-8570-based exploits before they reach end users.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2017-8570 |
| Vendor / Product | Microsoft — Office |
| NVD Published | 2017-07-11 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-20 — Improper Input Validation find similar ↗ |
| CISA KEV Added | 2022-02-25 |
| CISA KEV Deadline | 2022-08-25 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2017-07-11 | Microsoft releases July 2017 Patch Tuesday security updates patching CVE-2017-8570; CVE published |
| 2022-02-25 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-08-25 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2017-8570 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft Security Response Center — CVE-2017-8570 | Vendor Advisory |