Security Advisory 2017-009

Release Date:

UPDATE Critical zero-day vulnerability in Microsoft Office actively exploited



  • 11/04/2017 --- v1.0: Initial publication
  • 12/04/2017 --- v1.1: Adding update information from Microsoft


On 8th of April 2017, FireEye researchers detected malicious Microsoft Office Rich Text Format (RTF) document exploiting a zero-day vulnerability to execute a Visual Basic script when an user opens the document [1, 2]. The malicious script gets executed without the need to enable macros, or any other user interaction.

On 10th of April 2017, Proofpoint researchers observed the vulnerability being exploited to distribute the Dridex banking Trojan in a large e-mail campaign [3].

On 11th of April 2017, Microsoft issued a security update to patch the vulnerability (CVE-2017-0199) [5].

Technical Details

The malicious documents embed an OLE2 link object. When the user opens the malicious document, a .hta file is downloaded from the Internet. The Microsoft HTA application loads and executes the malicious script. The .hta content is disguised as a normal RTF file to evade security products.

The vulnerability is due to the way Microsoft Office products handle HTA files.

Products Affected

All Microsoft Office versions and WordPad on Windows systems are affected by the vulnerability.


Apply security update issued by Microsoft [5].

In the meanwhile, it is recommended to activate Office Protected View to stop the code execution. However, if the user wants to print or edit the malicious document (by clicking on the Enable Editing button), the code will be executed.

Another workaround is to set the following registry keys to block RTF files [4]:

  • Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles to 2
  • Software\Microsoft\Office\15.0\Word\Security\FileBlock\OpenInProtectedView to 0


[1] FireEye Blog

[2] McAfee Blog

[3] ProofPoint Blog

[4] Twitter post by Ryan Hanson

[5] Microsoft security advisory

We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.