📄 Description (English)
Microsoft Office and WordPad Remote Code Execution Vulnerability — Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for remote code execution.
🤖 AI Executive Summary
CVE-2017-0199 is a critical remote code execution vulnerability in Microsoft Office and WordPad that allows attackers to execute arbitrary code through specially crafted documents. This vulnerability has been actively exploited in the wild since 2017 and remains one of the most commonly weaponized CVEs in phishing campaigns globally. With a CVSS score of 9.0 and publicly available exploits, it poses an extreme risk to organizations that have not applied patches. It is frequently used by APT groups and cybercriminal operations targeting Middle Eastern organizations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 7, 2026 06:52
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses severe risk across all Saudi sectors due to the ubiquitous use of Microsoft Office. Banking sector (SAMA-regulated entities) faces high risk from phishing campaigns delivering weaponized Office documents. Government agencies under NCA oversight are prime targets for APT groups known to use CVE-2017-0199 (including APT34/OilRig which specifically targets Saudi organizations). Energy sector including ARAMCO and its supply chain, telecom operators like STC, and healthcare institutions are all at significant risk. Saudi Arabia has been specifically targeted by threat actors using this CVE, including Iranian-linked APT groups. Legacy systems running unpatched Office versions in industrial control environments (OT/ICS) in the energy sector compound the risk.
🏢 Affected Saudi Sectors
Government
Banking
Energy
Telecom
Healthcare
Defense
Education
Retail
⚖️ Saudi Risk Score (AI)
9.5
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Apply Microsoft security update MS17-010 and subsequent patches for all Microsoft Office installations immediately
2. Block RTF files at email gateways and web proxies as a compensating control
3. Disable the OLE (Object Linking and Embedding) feature in Microsoft Office via Group Policy
4. Enable Protected View in Microsoft Office for all documents from external sources
PATCHING GUIDANCE:
- Deploy Microsoft patches KB3141529, KB3178710, KB3178703, and related updates across all endpoints
- Prioritize patching for user-facing systems that handle external email and documents
- Verify patch status using vulnerability scanning tools
COMPENSATING CONTROLS:
- Configure email security gateways to sandbox and detonate Office documents before delivery
- Implement application whitelisting to prevent unauthorized code execution
- Disable HTA file execution via Windows Group Policy
- Block outbound connections from Office applications using host-based firewall rules
DETECTION RULES:
- Monitor for Office applications spawning cmd.exe, powershell.exe, mshta.exe, or wscript.exe
- Deploy YARA rules for CVE-2017-0199 exploit patterns in RTF and DOCX files
- Alert on HTA file downloads initiated by WINWORD.EXE or WORDPAD.EXE
- Monitor for unusual OLE object embedding in Office documents
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تطبيق تحديث الأمان من مايكروسوفت MS17-010 والتحديثات اللاحقة لجميع تثبيتات Microsoft Office فوراً
2. حظر ملفات RTF على بوابات البريد الإلكتروني وخوادم الوكيل كإجراء تعويضي
3. تعطيل ميزة OLE (ربط الكائنات وتضمينها) في Microsoft Office عبر سياسة المجموعة
4. تمكين العرض المحمي في Microsoft Office لجميع المستندات من مصادر خارجية
إرشادات التحديث:
- نشر تحديثات مايكروسوفت KB3141529 وKB3178710 وKB3178703 والتحديثات ذات الصلة على جميع الأجهزة
- إعطاء الأولوية لتحديث الأنظمة التي تتعامل مع البريد الإلكتروني والمستندات الخارجية
- التحقق من حالة التحديث باستخدام أدوات فحص الثغرات
الضوابط التعويضية:
- تكوين بوابات أمان البريد الإلكتروني لعزل وتحليل مستندات Office قبل التسليم
- تنفيذ القوائم البيضاء للتطبيقات لمنع تنفيذ التعليمات البرمجية غير المصرح بها
- تعطيل تنفيذ ملفات HTA عبر سياسة مجموعة Windows
- حظر الاتصالات الصادرة من تطبيقات Office باستخدام قواعد جدار الحماية
قواعد الكشف:
- مراقبة تطبيقات Office التي تقوم بتشغيل cmd.exe أو powershell.exe أو mshta.exe أو wscript.exe
- نشر قواعد YARA لأنماط استغلال CVE-2017-0199 في ملفات RTF وDOCX
- التنبيه عند تنزيل ملفات HTA بواسطة WINWORD.EXE أو WORDPAD.EXE
- مراقبة تضمين كائنات OLE غير عادية في مستندات Office
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
2-3-1 (Patch Management)
2-5-1 (Malware Protection)
2-6-1 (Email Security)
2-2-1 (Asset Management)
2-9-1 (Vulnerability Management)
🔵 SAMA CSF
3.3.3 (Patch Management)
3.3.5 (Malware Protection)
3.3.7 (Email and Messaging Security)
3.3.4 (Vulnerability Management)
3.1.3 (Cyber Security Risk Management)
🟡 ISO 27001:2022
A.8.8 (Management of Technical Vulnerabilities)
A.8.7 (Protection Against Malware)
A.8.23 (Web Filtering)
A.5.7 (Threat Intelligence)
🟣 PCI DSS v4.0
6.3.3 (Install Critical Security Patches)
5.2 (Deploy Anti-Malware)
11.3 (Vulnerability Scanning)
5.3 (Anti-Malware Mechanisms Are Active)
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Microsoft:Office and WordPad