This post explores the Type Confusion discovered by Cybellum’s automated vulnerability detection platform in Microsoft Word. It was reported to Microsoft on August 21st. Microsoft has confirmed the vulnerability, and patched it as part of October 2017 Patch Tuesday. It has been assigned a CVE-2017-11825

Cybellum’s platform discovers numerous vulnerabilities on a weekly basis, as we train it by having it test popular software. The vulnerabilities it detects are disclosed to affected vendors.

More information about the vulnerabilities we’ve recently submitted can be found on our reported vulnerabilities page


Our vulnerability detection platform has discovered a type confusion vulnerability that affects Microsoft Word 2016. The vulnerability occurs in the Word Javascript API. 


As part of the Word JavaScript API, the ContentControl object contains the getTextRange method with the following signature : getTextRanges(endingMarks: string[], trimSpacing: bool). The vulnerability occurs because the method expects the first argument to be an array. However, it doesn’t verify the argument type, so it will treat any given parameter as an array object.


And so, this code will lead to a crash:


Calling the method getTextRanges(999999999) in the javascript code leads to a type confusion executing the OLEAUT32!SafeArrayGetUBound function in the following instruction:  

movzx   eax,word ptr [ecx]   (OLEAUT32+0x2547B):

During the execution, the ECX register should hold a pointer to a valid SafeArray object, so the instruction tries to load the number of dimensions of the safe array into eax.

typedef struct tagSAFEARRAY {

 USHORT         cDims;         <== ECX points here

 USHORT         fFeatures;

 ULONG          cbElements;

 ULONG          cLocks;

 PVOID          pvData;

 SAFEARRAYBOUND rgsabound[1];


But ECX holds the value 0x3b9ac9ff (999999999), so the application tries to dereference invalid address and it leads to access violation.

This vulnerability enables an attacker to access the entire memory address space, and has the potential to be escalated by using heap spray and/or other methods to replace the safe array object, using it as a facilitator of a complete attack.

Proof of Concept

The add-in deployment is done through the three code snippets attached to this report, by deploying the Word add-in. 

1) Deploy the crash.html and the crash.js on a local webserver, in the root folder, and run the server. The http://localhost/crash.html should be loaded correctly.





2) Put the CrashManifest.xml file inside a shared folder.


3) Add the shared folder into the Trusted Add-in catalogue by executing these steps

      a) Open Word.

      b) Go to File->Options->Trust Center ->Trusted Add-in Catalogues.

      c) Add the shared folder in the Catalog Url and tick the “Show In Menu” option.

      d) Restart Word.

4) Launch the add-in by going to Home->My Add-ins->Shared Folder->Crashapplication


The vulnerability was tested on windows 10 x64 with the following product and module versions:

Product: Word 2016 MSO (16.0.8229.2086) 32-bit, Version: 1706 (Build 8229.2103)

Module: wwlib.dll 16.0.8229.2103(32-bit), oleaut32.dll 10.0.15063.332 (32-bit)

It also affects Word for Mac, Version: 15.38.0

Final Words

This Word 2016 vulnerability is one of many lurking within the code of every software on the market. There’s simply no way, currently, to catch every security issue before the product is shipped. Even industry giants like Microsoft cannot possibly account for all vulnerabilities that exist in their product, which makes Patch Tuesday a necessary part of the deployment cycle.

The vulnerability also highlights the vast attack surface of any software. With the attackers squarely focused on malicious macros in Word documents, and security solutions putting emphasis on detecting those, these type of vulnerabilies and attacks could be harder to detect and protect against.

Cybellum was founded to make the job of DevOps, DevSecOps and decision-makers within companies that rely on software easier. We do it through automatic vulnerability detection that’s quick, efficient and with comprehensive coverage.

Instead of giving a tool for security researchers, we provide a platform that provides actionable insights, by detecting vulnerabilities and assessing the security risk of any software. The result is a report that can help a developer to fix vulnerabilities, while explaining to the decision-maker how secure is the software that they’re considering to release or to integrate.