Vulnerabilities / Threats
11/8/2013
12:43 PM
50%
50%

Criminals Exploit Microsoft Office Zero-Day Flaw

At least two sets of attackers have been using malicious Office documents to exploit the graphics processing vulnerability.

Windows 8.1: A Visual Tour
Windows 8.1: Visual Tour
(click image for larger view)
Warning: Attacks against a zero-day vulnerability in Microsoft Office are more extensive than first believed. That finding further reinforces security experts' recommendation that businesses install an emergency mitigation technique released by Microsoft as quickly as possible.

At least two different criminal groups appear to have been successfully targeting the zero-day bug, using malicious Office documents. The flaw has been traced to a remote-code execution vulnerability in Microsoft graphics functionality that handles the TIFF file format.

What's the risk? "An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted Web content," according to a Microsoft security advisory. "An attacker who successfully exploited the vulnerability could gain the same user rights as the current user," and execute arbitrary code or install malware.

[ Do you still use Windows XP? Read Windows XP Security Apocalypse: Prepare To Be Pwned. ]

Pending a patch, Microsoft has released an emergency "Fix it" that fully mitigates the vulnerability. Given the lack of lead time, security experts don't expect a patch for the zero-day vulnerability -- discovered this week -- to be ready for inclusion in this month's regularly scheduled Microsoft patch release, which is due to happen Tuesday.

To date, related attacks have targeted users of Microsoft Office 2003, 2007 and 2010, and targeted organizations have reportedly received booby-trapped Office documents. The graphics vulnerability is being exploited in a novel way: "We found the DEP status was 'on' at the process start but 'off' during shellcode execution,'" said Vinay Karecha, a McAfee Labs researcher, in a teardown of exploit code that refers to the advanced attack mitigation attack known as data execution prevention, which together with address space layout randomization (ASLR) has made Windows much more difficult for malware-writers to exploit.

"Our analyzed exploit didn't bypass ASLR and DEP," said Karecha. "Instead, it leveraged a backward-compatibility feature in Office 2007 to disable DEP. Without DEP, ASLR is quite easy to bypass."

According to FireEye researcher Mike Scott, one of the two groups that's been exploiting this zero-day vulnerability appears to be operating from India. "Our analysis has revealed a connection between these attacks and those previously documented in Operation Hangover, which adds India and Pakistan into the mix of targets," he said in a blog post. "Information obtained from a command-and-control server (CnC) used in recent attacks leveraging this zero-day exploit revealed that the Hangover group, believed to operate from India, has compromised 78 computers, 47 percent of those in Pakistan."

Norwegian security software vendor Norman was the first to highlight Operation Hangover in May, saying the Hangover group had been launching advanced persistent threat (APT) attacks since at least 2010. Norman also found multiple references in the malware code to Indian information security software and "ethical hacking" vendor Appin. Some security experts alleged that was a smoking gun that tied the APT attacks to Appin, and that the Hangover group's list of government targets in Pakistan suggests the Indian government might have commissioned the attacks. But Appin has continued to vigorously deny that it had any role in the attacks.

A second group, meanwhile, has been using the Microsoft graphics vulnerability to infect targeted PCs with Citadel malware, which is designed to steal financial information. "This group, which we call the Arx group, may have had access to the exploit before the Hangover group did," said FireEye's Scott. "Information obtained from CnCs operated by the Arx group revealed that 619 targets (4,024 unique IP addresses) have been compromised. The majority of the targets are in India (63%) and Pakistan (19%)."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?