MS Word
McAfee and FireEye reported the detection of real attacks on Microsoft Word users through a new 0day vulnerability, for which a patch has not yet been released. Vulnerability allows you to quietly execute arbitrary code on your victim’s computer and install malicious software. The most unpleasant, all versions of MS Word are affected on all versions of Windows, including the latest version of Office 2016 under Windows 10, even with macros turned off.Microsoft is notified of the vulnerability and must prepare a patch for the security update Patch Tuesday, which Will be held tomorrow, 11 April. However, as history shows with a similar 0day vulnerability CVE-2014-4114 / 6352 (aka Sandworm), Microsoft does not always manage to close 0day from the first patch.
Researchers at McAfee write that they found the first attacks using this 0day in January of this year. Apparently, they only recently received samples of malicious code, so they were able to analyze in detail the infection mechanism.
During the attack, Word files are used (specifically, RTF documents with .doc extension).
If the protected mode of Office Protected View is disabled in Microsoft Word, then the exploit is automatically launched when the document is opened. After that, the winword.exe process makes an HTTP request to the remote server, from where it downloads an HTA file (an HTML application) disguised as an RTF document. The HTA file automatically launches and executes a malicious script. This script closes the original infected Word file, and instead shows the user a dummy text document. The original winword.exe process closes to hide the user from the window that displays OLE2Link. At the same time, the script downloads additional malicious code from the remote server for installation on the computer.
Using the .hta version, McAfee researchers write, the authors of the exploit effectively bypass all the memory protection measures implemented by Microsoft, as well as antivirus protection and the majority Other protection methods.
Here is a fragment of communication with the server:
HTA masking in the form of an RTF document is performed to bypass antivirus programs, if installed on the victim’s computer. At the bottom of this document, malicious Visual Basic scripts are written that do all the work.
McAfee experts write that this 0day vulnerability is related to the function of Object Linking and Embedding OLE) – an important part of the functionality of Office, which actually allows you to embed some documents inside others. This function has been used repeatedly for various attacks. For example, back in 2015, the same McAfee specialists prepared a presentation for the Black Hat USA hacker conference in which they talked about possible vectors of attack through OLE.
FireEye employees claim that they discovered this vulnerability before McAfee and were first to be sent The message in Microsoft, but remained silent until the release of the patch. After the publication of the McAfee blog post, there is no sense to keep silent, so they also reported on what they could understand after analyzing this exploit.
In FireEye products, malicious documents are defined as Malware.Binary.Rtf.
Security specialist Mikko Hypponenov learned that Microsoft will accurately release a patch for this vulnerability in the nearest Patch Tuesday, that is, tomorrow, April 11, 2017.
Before installing the patch, you can lock RTF in the registry in such a way: set the value in the registry to
Software Microsoft Office 15.0 Word Security FileBlock RtfFiles to 2, and OpenInProtectedView To 0. In this case, when you try to open a file in RTF format, the following message will appear:
By the way, this is a recommendation from Ryan Hanson, who claims that it was he Found this 0day in July, and reported it in October 2016. And now it was disclosed by strangers. If he is telling the truth, then Microsoft really does cover critical vulnerabilities for a very long time.
But the tests showed that when the protected Office Protected View mode is opened, the exploit can not run for execution, so blocking RTF is an extreme measure.
In any case, all users of Microsoft Office in the near future are highly recommended:
- Do not open any Office documents obtained from unreliable sources.
- Enable Office Protected View protection.
Antivirus companies do not say who was the victim of the attacks. But from past experience it is known that such 0day are often used in targeted attacks on the state order. It’s strange that Microsoft has been working on the patch for so long.
