Monday, July 4, 2022

Attack combining Office exploits shows need to improve patching speed

Exploits of holes in Microsoft Office have been around for years, but Cisco Systems’ Talos threat intelligence service has sighted a new email-based campaign that combines two exploits in hopes of doubling their effect.

Fortunately, the company notes in a blog, the creators made some errors so the effect of the attempt has been blunted. But the discovery serves as another warning that threat actors are creative, and of the necessity to speed patching procedures.

“Attackers are obviously trying to find a way around known warning mechanisms alerting users about potential security issues with opened documents,” Cisco notes. The idea, apparently is to avoid prompts Office should give if administrators have configured the suite to not automatically execute macros or run remote files. Instead Office gives a warning and asks users permission to run the file.

However, possibly because there was poor testing or quality control this version of the malware isn’t working.

The package combines CVE-2017-0199, disclosed in April, which allows attackers to include Ole2Link objects within RTF documents to launch remote code when HTML application files are opened and parsed by Microsoft Word, with an five-year old exploit, CVE-2012-0158, It allow remote attackers to execute arbitrary code. Both have already been patched.

The particular attack seen by Cisco started with an email with a supposed purchase order attachment. That document is an RTF file including an Ole2Link to a remote document. Tested on a vulnerable version of Office, Word started to convert the downloaded document but then crashed when CVE-2012-0158 started to run. Perhaps, Cisco speculates, the authors didn’t realize what might happen if these two vulnerabilities tried to run together, which is a memory protection error.

“If the attackers would have been just a little bit more technically savvy they would realize this problem and easily fix it to make these two exploits work together successfully without the prompt to load the remote content being displayed to the end-user,” says Cisco — although it notes that the shellcode in the document containing the CVE-2012-0158 exploit will be successfully executed if there are no other open RTF files on the infected system.

This kind of attack won’t work on a system that has received a patch for either vulnerability. Cisco suspects the threat actors hoped  the combination would avoid Word displaying the warning prompt. Another possibility was to avoid behavioral detection systems which may be triggering on the combination of Ole2Link in a Word document and a download of an HTA file.

Either way, the lesson to infosec pros is that patching is as vital as ever. The blog notes that the three-month old CVE=2017-0199 has now become one of the most commonly used vulnerabilities exploited in email attacks. That means in large enterprises there’s no longer the luxury of taking time to test a patch against all combinations of hardware and software before deploying. Patching testing procedures must be more efficient.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.