Vulnerabilities in Microsoft Office Security functions

Data publikacji: 23 March 2025

USCYBERCOM warns about Iran exploiting vulnerabilities in Microsoft Office Security functions

On July 2, US Cyber Command (USCYBERCOM) warned that malware linked to Iranian state-sponsored groups exploits a vulnerability in Microsoft Outlook. The issue, first discovered by SensePost researchers in October 2017 and identified as a “Microsoft Office Security Feature Bypass Vulnerability,” affected Outlook 2010 SP2, Outlook 2013 SP1, 2013 RT SP1, and Outlook 2016.

How can the Microsoft Office security vulnerability be exploited?

Vulnerability – CVE-2017-11774 – allows an attacker to exploit the Outlook client’s homepage. This feature was designed by Windows to allow users to customize the default view of Outlook folders. After customization, a specified URL is loaded and displayed whenever any Outlook folder is selected. If an attacker gains access to the homepage, they can inject chosen HTML or Visual Basic code, making the potential consequences of a successful attack unpredictable. To execute a successful attack, the hacker must embed malicious code in an Outlook-specific ActiveX format loaded from a URL.

FireEye Security experts attributed the exploitation of Outlook to two Iranian state-sponsored groups – APT33 and APT34. Furthermore, USCYBERCOM has maintained an account with VirusTotal since November 2018. After earlier reports of the vulnerability in Microsoft software, the organization uploaded 5 infected files to VirusTotal, which have now been used in ongoing attacks.

What should Skybox clients do?

The official recommendation from USCYBERCOM states that users should apply the patch — which is readily available — as soon as possible. It is worth noting that this is the first warning issued by USCYBERCOM regarding a non-Russian state-sponsored attack and highlights the growing capabilities of other nations to cause harm in cyberspace.

Skybox clients were first notified of the vulnerability and its patch on October 10, 2017. They were then informed when the exploit was made publicly available (December 7, 2017) and when it was first used by attackers (December 25, 2018).

If Skybox clients have been preventing vulnerabilities in their networks according to the priorities set by the software, they should have applied the patch to vulnerable systems years ago. In this case, they have nothing to worry about now. Having contextual awareness of threats and how security vulnerabilities, if exploited, can impact the organization is key to ensuring protection against future exploits. All of this can be achieved by using Skybox Security software.

Source: www.skyboxsecurity.com

Check the other news

Changes in the Management Board driving ambitious goals

Changes in the Management Board driving ambitious goals

Read more
PBSG at the CYBERŚLĄSKIE 2024 conference: Key takeaways and the role of risk analysis in cybersecurity

PBSG at the CYBERŚLĄSKIE 2024 conference: Key takeaways and the role of risk analysis in cybersecurity

Read more
The project for extending the KRI is being considered as a matter of urgency

The project for extending the KRI is being considered as a matter of urgency

Read more
All news

Did we interest you? Write to us and let's talk about your project