Traps Prevents Microsoft Office Zero-Day

Category: Endpoint

An attack leveraging a recently patched Microsoft Office zero-day vulnerability (CVE-2017-11826) to deliver malware has been observed in the wild.


The vulnerability is a memory-corruption bug affecting Microsoft Office 2007 products and later. Leveraging the vulnerability requires the attacker to convince the victim to open a specially crafted file using a vulnerable version of Microsoft Office. This can be done via email (malspam) or a web-based attack (for example, hosting the file on compromised website).

The attack was observed initiating with an RTF file that, when opened, triggers a remote arbitrary code execution by using Microsoft Word tags and corresponding attributions to carry out the payload delivery.

Following this attack, an attacker can take control of a system and abuse it by creating new accounts with full rights, or manipulating and deleting data. As reportedly observed by security firm Qihoo 360, attackers exploited the vulnerability to utilize a remote Trojan and steal sensitive data.


Palo Alto Networks Traps advanced endpoint protection successfully prevents this attack at the very beginning by averting the use of return-oriented programming, or ROP, and protecting against the use of constant addresses from DLLs not compliant with address space layout randomization, or ASLR, thus blocking the execution of any malicious payload. No updates are needed to prevent this attack with Traps. In fact, it would have been prevented years before it ever became public.

Learn more about Traps advanced endpoint protection.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.

© 2019 Palo Alto Networks, Inc. All rights reserved.