CVE-2024-43517 Overview
CVE-2024-43517 is a remote code execution vulnerability in Microsoft ActiveX Data Objects (ADO), the data access component shipped with Windows. The flaw is categorized as a heap-based buffer overflow [CWE-122] and affects all currently supported versions of Windows client and server operating systems. An attacker who successfully exploits the vulnerability can execute arbitrary code in the context of the targeted user. Exploitation requires user interaction, typically by inducing a victim to open a crafted file or visit a malicious page that triggers the vulnerable ADO code path.
Critical Impact
Successful exploitation grants attackers arbitrary code execution on affected Windows hosts, enabling full system compromise when the targeted user holds administrative rights.
Affected Products
- Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (21H2, 22H2, 23H2, 24H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, and 2022 23H2
Discovery Timeline
- 2024-10-08 - CVE-2024-43517 published to NVD and addressed in Microsoft's October 2024 Patch Tuesday
- 2024-10-17 - Last updated in NVD database
Technical Details for CVE-2024-43517
Vulnerability Analysis
The vulnerability resides in Microsoft ActiveX Data Objects, the COM-based data access layer used by Windows applications, scripting hosts, and Microsoft Office to interact with OLE DB providers. ADO is implemented in libraries such as msado15.dll and is invoked through ProgIDs like ADODB.Connection and ADODB.Recordset. Improper bounds handling during processing of attacker-controlled input results in a heap-based buffer overflow. The corrupted heap state can be steered to overwrite adjacent objects or function pointers, leading to arbitrary code execution within the host process.
Root Cause
The root cause is a heap-based buffer overflow [CWE-122] in ADO's parsing of structured input. When the component allocates a heap buffer based on one length value but copies data using a different, attacker-influenced size, the resulting out-of-bounds write corrupts heap metadata or neighboring allocations. This violates ADO's internal length invariants and produces a controllable memory corruption primitive.
Attack Vector
The attack vector is network-based but requires user interaction. An attacker hosts a crafted document, web page, or data file that instantiates ADO objects, such as an Office document containing an embedded ADO query, an HTML page that scripts ADODB.Recordset, or a .udl/connection artifact. When the victim opens the content, ADO processes the malicious payload and triggers the overflow. Code executes in the context of the current user, so administrative accounts yield full system compromise. There is no public proof-of-concept and the issue is not listed in CISA KEV, however the EPSS data indicates elevated relative exploitation likelihood compared to most CVEs.
No verified public exploit code is available. Refer to the Microsoft Security Update CVE-2024-43517 advisory for vendor-supplied technical details.
Detection Methods for CVE-2024-43517
Indicators of Compromise
- Unexpected child processes spawned by Microsoft Office applications (winword.exe, excel.exe, outlook.exe) or by script hosts (wscript.exe, cscript.exe, mshta.exe) following document open events.
- Loading of msado15.dll, msadox.dll, or oledb32.dll by unusual processes, particularly browsers or LOLBins.
- Anomalous outbound network connections immediately after ADO-related COM object instantiation.
- Crash reports or Windows Error Reporting events implicating ADO libraries on unpatched hosts.
Detection Strategies
- Hunt for process trees where Office or script-host processes instantiate ADODB.* COM objects and subsequently launch shells, rundll32, or regsvr32.
- Correlate document-borne file opens with module loads of ADO DLLs in non-database workflows.
- Inspect endpoint telemetry for memory protection events (heap corruption, DEP violations) inside processes loading msado15.dll.
- Apply YARA or static rules to inbound documents that embed connection strings or scripted ADO usage uncommon for the environment.
Monitoring Recommendations
- Centralize Sysmon Event IDs 1 (process create), 7 (image load), and 11 (file create) and alert on ADO library loads outside known database applications.
- Monitor Windows Defender Exploit Guard and Attack Surface Reduction logs for blocked child-process creations from Office.
- Track patch deployment status of the October 2024 cumulative updates across all Windows endpoints and servers.
How to Mitigate CVE-2024-43517
Immediate Actions Required
- Apply the October 2024 Microsoft security updates that remediate CVE-2024-43517 to all affected Windows client and server systems.
- Prioritize patching of internet-facing servers, administrative workstations, and hosts that routinely open external documents.
- Enforce Office Protected View and block macros from the internet to reduce exposure during patch rollout.
- Audit endpoints for unpatched legacy systems such as Windows Server 2008 SP2 that require Extended Security Updates.
Patch Information
Microsoft released fixes via the October 2024 Patch Tuesday cumulative updates. Refer to the Microsoft Security Update CVE-2024-43517 advisory for the exact KB articles applicable to each Windows version and install them through Windows Update, WSUS, or the Microsoft Update Catalog.
Workarounds
- Restrict execution of untrusted scripts and documents through Attack Surface Reduction rules that block Office applications from creating child processes.
- Disable ActiveX controls and scripting in Internet Explorer mode and Microsoft Edge for untrusted zones.
- Enforce least-privilege user accounts so that successful exploitation does not yield administrative control.
- Use application control policies (WDAC, AppLocker) to limit which processes may load msado15.dll and related COM libraries.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
