Category: Office

May 09 2017

Microsoft’s recent success in blocking in-the-wild attacks is eerily good

Enlarge (credit: Stephen Brashear / Getty Images News)

Microsoft engineers have neutralized a series of attacks that took control of targeted computers by exploiting independent vulnerabilities in Word and Windows. Remarkably, the software maker said fixes or partial mitigations for all four security bugs were released before it received private reports of the attacks.

Both versions of the attacks used malformed Word documents that were attached to phishing e-mails sent to a highly select group of targets. The malicious documents chained together two exploits, one that targeted flaws in an Encapsulated PostScript filter in Word and the other that targeted elevation-of-privilege bugs in Windows so that the attack could break out of the security sandbox that fortifies Office. Encapsulated PostScript is an old format that's rarely used any more.

One version of the attacks combined an exploit for a Word EPS flaw designated as CVE-2017-0261 with an exploit for CVE-2017-0001, a Windows privilege-escalation bug. By the time Microsoft received a private report of ongoing attacks in March, the company had already released a partial fix as part of its March Update Tuesday release. A second attack version exploited an EPS flaw indexed as CVE-2017-0262 in combination with CVE-2017-0263, a separate Windows privilege-elevation flaw.

Read 8 remaining paragraphs | Comments

Mar 04 2016

It’s 2016, so why is the world still falling for Office macro malware?

In the late 1990s, Microsoft Office macros were a favorite vehicle for surreptitiously installing malware on the computers of unsuspecting targets. Microsoft eventually disabled the automated scripts by default, a setting that forced attackers to look for new infection methods. Remotely exploiting security bugs in Internet Explorer, Adobe Flash, and other widely used software soon came into favor.

Over the past two years, Office Macros have made a dramatic comeback that has reached almost a fevered pitch in the past few months. Booby-trapped Excel macros, for instance, were one of the means by which Ukrainian power authorities were infected in the weeks or months leading up to December's hacker-caused outage that affected 225,000 people. "Locky," a particularly aggressive strain of crypto ransomware that appeared out of nowhere two weeks ago, also relies on Word macros. The return of the macro-delivered malware seemed to begin in late 2014 with the advent of a then-new banking trojan called Dridex.

The return of the macro may have been a reaction to security improvements that Adobe, Microsoft, and Oracle have made to their software. Not only were the companies patching dangerous bugs more quickly, but in many cases, they fortified their code with defenses that caused exploits to simply crash the application rather than force it to execute malicious code. Streamlined update mechanisms and greater end user awareness about the importance of installing security patches right away may also have made code-execution exploits to fall out of favor.

Read 4 remaining paragraphs | Comments

Mar 24 2014

Zero-day vulnerability in Microsoft Word under active attack

Attackers are exploiting a newly discovered vulnerability in Microsoft Word that makes it possible to remotely seize control of computers, the company warned.

The in-the-wild attacks work by creating booby-trapped documents in the Rich Text Format (RTF) that exploit a vulnerability in the 2010 version of Microsoft Word, Microsoft warned in an advisory published Monday. Similar attacks work against other versions of Word, including 2003, 2007, and 2013 for Windows, Microsoft Office for Mac 2011, and multiple versions of Microsoft SharePoint Server. E-mails that are viewed or previewed using a default setting in Outlook allow the attacker to gain the same system privileges as the user who is currently logged in.

"Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word," Monday's advisory stated. "At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word or previews or opens a specially crafted RTF e-mail message in Microsoft Outlook while using Microsoft Word as the e-mail viewer."

Read 3 remaining paragraphs | Comments

Aug 09 2011

Patch Tuesday August 2011 – 13 updates, 22 vulnerabilities

Microsoft Security Response logoMicrosoft released 13 bulletins today, which is quite large for a summer Patch Tuesday, but only two of these bulletins were critical. There are nine rated important and two rated as moderate.

The first critical bulletin, MS11-057, affects Internet Explorer and patches seven vulnerabilities. Two of these vulnerabilities were disclosed publicly and are rated moderate. The other five, disclosed privately, could allow remote code execution (RCE) and are thus automatically rated critical.

The other critical bulletin, MS11-058, impacts Windows DNS servers. A specially crafted DNS record in combination with a request to a vulnerable server could lead to remote code execution (RCE).

SophosLabs has rated both of these vulnerabilities as high, as well as a bulletin on Microsoft Data Access Components and Microsoft Visio which Microsoft has rated important.

Other Microsoft components that were patched include Visual Studio, .NET, RDP, Windows Kernel and the TCP/IP stack. Microsoft’s advisories can be found on the MSRC blog.

Adobe logoAdobe has also released its Patch Tuesday bulletins today. There are two fixes for Adobe Air, nine for Flash Media Server, 46 for Flash Player, two for Photoshop CS5, four for RoboHelp, five for RoboHelp server and 11 in Shockwave player.

Adobe has published the details of these bulletins on its PSIRT blog and SophosLabs has rated the threat level of the Flash Player fixes as high.

As always it is important to deploy these fixes as soon as possible. Fortunately there are only five bulletins SophosLabs considers high risk, so we can get those out there quickly and start preparing for next month.