Microsoft Security Advisory: Microsoft Word Under Seige

Printer-friendly version Email this CRN article

Microsoft is warning that attackers are targeting a serious zero-day vulnerability in all currently supported versions of Microsoft Word and advises businesses to consider using a temporary patch to thwart ongoing attack attempts.

Microsoft said in a Monday advisory that the attacks are directed at a remote code vulnerability in Microsoft Word 2010. Employees can be infected by simply previewing an Outlook email designed to target the flaw.  Cybercriminals have developed a working exploit that targets a vulnerability in the way Word handles rich text format (.RTF) files. The issue also impacts users of Microsoft Office for Mac 2011.

"An attacker who successfully exploited the vulnerability could gain the same user rights as the current user," Microsoft said in its advisory. "Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights."

[Related: Microsoft Update Fixes Serious Internet Explorer Zero-Day]

Attackers also can also exploit the flaw in drive-by attack campaigns, targeting visitors of an infected website. The flaw creates a memory corruption condition that can be used by an attacker to execute code and drop a malicious payload.

To thwart attacks, administrators can turn off Microsoft Word as an email viewer, Microsoft said. Microsoft Word is used in email viewing mode by default in Microsoft Outlook 2007, Microsoft Outlook 2010 and Microsoft Outlook 2013.

Microsoft has issued an automated, temporary patch to address the issue. The company said it acts to prevent attackers from targeting the flaw by configuring Microsoft Office policy to not open RTF files. As another preventative measure, users can be forced to open messages in text-only format.

Enterprise administrators can create their own custom protection using Trust Center features of Office instead of the automated, temporary FixIt patch, said Chengyun Chu and Elia Florio of the Microsoft Security Response Center engineering team in a detailed analysis of the threat. The software engineers said the attack bypasses security restrictions built into Windows.

"The attack detected in the wild is limited and very targeted in nature," the software engineers said.

The malware also was designed to defeat automated sandbox, file analysis tools, they said. The malware payload dropped by the attackers via a back door is generic and supports encrypted communication and additional scripts to run more components.

Microsoft credits software engineers Drew Hintz, Shane Huntley and Matty Pellegrino from the Google Security team for the discovery.

Solution providers say the latest threat is a reminder that attackers are consistently targeting vulnerabilities that help them trick end users into making mistakes, such as opening a bogus Word document. Known vulnerabilities that have no official patch from the software maker are called zero-days, but security experts at solution providers say system administrators can add preventative measures to reduce the risk of an infection, from disabling targeted components to implementing workarounds designed to thwart the specific attack.

"The biggest sorts of issues we see day in and day out are on the desktop," said Jeff Sumner, president of Swarthmore, Pa.-based TechGuides. "Our big push right now is education of the clients and to get the owners to understand that educating users how to keep their data safe can often translate into the users keeping their employer's data more secure."

Companies serious about security are blocking users from visiting websites that could host malware and other threats. Zero-day flaws are often targeted at Web browsers, a critical component used to gain access to critical systems, Sumner said.  Microsoft repaired two Internet Explorer zero-day vulnerabilities in its March 2014 Patch Tuesday round of updates, one of which was actively exploited in a targeted attack against U.S. military personnel.


Printer-friendly version Email this CRN article