Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Microsoft Office EPS Filter Remote Code Execution Vulnerability

IdentifiersCVE-2017-0262CWE-843

CVE-2017-0262 is a remote code execution vulnerability affecting Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016. The issue is associated with Encapsulated PostScript (EPS) handling in Office, where malicious Office documents invoke FLTLDR.EXE to render embedded EPS content. Supporting reporting describes the flaw as an EPS type confusion involving a forged procedure object used with the PostScript forall operator to control operand stack values. Observed exploitation used heap spraying and forged objects to leak module base information for EPSIMP32.flt, then pivoted through a forged file object and the bytesavailable operator into a ROP chain and shellcode. In the wild, the vulnerability was delivered via spearphishing documents such as a Word document containing an embedded malicious EPS file and was used by APT28/Sofacy/Sednit to execute payloads including GAMEFISH and Seduploader.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote code execution in the context of the user opening the malicious Office document. In observed campaigns, attackers used the flaw to execute shellcode from a crafted Word document and then chain it with CVE-2017-0263 to escape the FLTLDR.EXE sandbox, elevate privileges to SYSTEM, and install malware such as GAMEFISH or Seduploader. The practical impact is full compromise of the affected workstation, subject initially to the privileges of the current user and, when chained with a local privilege-escalation vulnerability, complete system takeover.

Mitigation

If you can’t patch tonight, do this now.

Disable or restrict EPS processing in Microsoft Office in accordance with Microsoft's ADV170005 guidance. Reduce exposure by blocking or sandboxing unsolicited Office attachments, especially spearphishing-delivered Word documents with embedded EPS content. Use Protected View, attachment detonation, and mail gateway filtering for suspicious Office documents. Limit user privileges to reduce post-exploitation impact, and monitor for abnormal FLTLDR.EXE invocation, embedded EPS rendering, and child-process or shellcode-like behavior originating from Office applications.

Remediation

Patch, then assume compromise.

Apply Microsoft's security updates for CVE-2017-0262 for affected Office versions. Microsoft also disabled EPS processing in Office as part of April 2017 Patch Tuesday and advised customers to follow ADV170005 as a defense-in-depth measure against EPS filter vulnerabilities. Systems running Office 2010 SP2, Office 2013 SP1, and Office 2016 should be updated to patched builds and any legacy EPS handling components should remain disabled unless explicitly required and securely managed.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationOfficeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
securelistNews
Aug 8, 2017
APT Trends report Q2 2017

A Microsoft Office Encapsulated PostScript (EPS) zero-day vulnerability used in targeted attacks.

Read more
web archiveNews
May 9, 2017
EPS Processing Zero-Days Exploited by Multiple Threat Actors " EPS Processing Zero-Days Exploited by Multiple Threat Actors | FireEye Inc

A Microsoft Office EPS remote code execution zero-day caused by type confusion involving a forged procedure object used with the PostScript forall operator, enabling attacker-controlled operand stack manipulation and subsequent ROP/shellcode execution.

Read more
mitre attack websiteNews
Oct 1, 2016
APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, GruesomeLarch, Group G0007 | MITRE ATT&CK®

A Microsoft Office vulnerability exploited by APT28 for client-side code execution.

Read more
mitre attackNews
Jan 25, 2026
Exploitation for Client Execution, Technique T1203 - Enterprise | MITRE ATT&CK®

A Microsoft Office vulnerability exploited by APT28 for code execution.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence5

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2017-0262
NVD
nvd.nist.gov/vuln/detail/CVE-2017-0262
MITRE CWE · CWE-843
cwe.mitre.org
Patch
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262
Third Party Advisory
securityfocus.com/bid/98279
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0262