Credit: Ryan Hanson, Haifei Li, Bing Sun, Unknown Hackers
In an instance of parallel discovery, two different flaws were identified in how Microsoft Office handles linked OLE objects. CVE-2017-0199 refers to both issues, the first related to the URL Moniker, which can be used to load arbitrary HTA payloads via OLE (and RTF) documents, and the other to the Script Moniker, which can be abused in PowerPoint documents via custom actions. Haifei Li reported the Script Moniker vector and Ryan Hanson the URL Moniker while an unknown party was actively exploiting the URL Moniker issue with spear phishing attacks.
These bugs were interesting from a timing perspective (at least three different folks discovering them in parallel) and due to the fact that they were perfectly effective against Windows 10 and Office 2016, bypassing all memory-based attack mitigations. Since the publication of these issues, both vectors have become favorites of penetration testers and random blackhats alike.
Haifei Li & Bing Sun’s presentation at the SYSCAN360 Seattle conference pointed out that Microsoft’s patch may not be complete, as it blacklists two COM controls, but exploitable may be possible through third-party controls instead.