Vulnerabilities / Threats
3/25/2014
10:04 AM
100%
0%

Outlook Users Face Zero-Day Attack

Simply previewing maliciously crafted RTF documents in Outlook triggers exploit of bug present in Windows and Mac versions of Word, Microsoft warns.

Windows 8.1 Update 1: 10 Key Changes
Windows 8.1 Update 1: 10 Key Changes
(Click image for larger view and slideshow.)

There is a new zero-day attack campaign that's using malicious RTF documents to exploit vulnerable Outlook users on Windows and Mac OS X systems, even if the emailed documents are only previewed.

That warning was sounded Monday by Microsoft, which said that it's seen "limited, targeted attacks" in the wild that exploit a newly discovered Microsoft Word RTF file format parser flaw, which can be used to corrupt system memory and execute arbitrary attack code.

"An attacker who successfully exploited this vulnerability could gain the same user rights as the current user," said a Microsoft's security advisory. "If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

[Are you prepared for the end of Windows XP support? Read Windows XP: Feds Brace For End Of Support.]

The only related in-the-wild exploits of the flaw (CVE-2014-1761) seen to date have targeted Microsoft Word 2010. But the vulnerability is present in multiple Windows versions of Word (2003, 2007, 2010, 2013), Word Automation Services on Microsoft SharePoint Server (2010 and 2013), and Microsoft Office Web Apps (2010 and Server 2013). In addition, the bug is also present in Microsoft Office for Mac 2011.

While the vulnerability technically exists in Word, it's being exploited when Word is set to be the email viewer for Outlook, which is the typical setup. "By default, Microsoft Word is the email reader in Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013," according to Microsoft.

How can Outlook and Word users mitigate the vulnerability? Microsoft has detailed multiple workarounds -- all temporary -- pending its release of security patches. One workaround is an automated "Fix It" tool for Microsoft Word (2010, 2013) and Office (2003, 2007), which will "disable RTF as a supported format in Microsoft Office," Wolfgang Kandek, CTO of Qualys, said via email. An Active Directory Group Policy can also be set to block RTF files for affected versions of Word.

(Image: Elliot Brown)
(Image: Elliot Brown)

Outlook can also be set to read in plaintext all "standard" emails -- meaning messages that aren't digitally signed or encrypted -- which will block related attacks. According to Microsoft, using plaintext strips the "junk tags" used by attackers from RTF documents. It said attackers have also included a secondary attack that bypasses address space layout randomization (ASLR) and then uses return-oriented programming (ROP) to execute shell code, which installs a backdoor onto the affected system, and "phones home" to a command-and-control server via encrypted SSL traffic.

Microsoft said its Enhanced Mitigation Experience Toolkit (EMET), when installed on a system and configured to work with Microsoft Office, also appears to block related attacks. "Our tests showed that EMET default configuration can block the exploits seen in the wild," according to a Microsoft Security Research and Defense blog post written by Microsoft engineers Chengyun Chu and Elia Florio. "In this case, EMET's mitigations such as 'Mandatory ASLR' and anti-ROP features effectively stop the exploit."

Multiple security experts have warned that anyone using the vulnerable Microsoft software should tap one or more of the mitigation techniques, since the bug will likely soon be exploited on a much more wide-scale basis.

If news of the RTF vulnerability creates a sense of déjà vu, that's because attacks involving maliciously crafted documents that could exploit systems just when previewed used to be a more common occurrence.

"This isn't, of course, the first time that malware has been able to infect computers just by emails being read -- as opposed to links being clicked on, or attachments opened," said Graham Cluley, an independent security researcher, in a blog post. "Readers with long memories may remember the BubbleBoy and Kakworm attacks, for instance. Kakworm became particularly widespread at the tail end of the 1990s, exploiting a security hole in Microsoft Outlook Express to spread."

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
J_Brandt
50%
50%
J_Brandt,
User Rank: Apprentice
3/31/2014 | 11:46:07 PM
Re: All eggs in one basket
Microsoft is only the target because of its market share.  If you're going to write an exploit, you want it to have the greatest effect possible.  Also the larger the install base the more the curve of skills and patching.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/26/2014 | 8:49:06 PM
Re: All eggs in one basket
TBH, I don't think it's much of a "Microsoft monoculture" anymore.  Apple has made SIGNIFICANT headway in the enterprise, as have other competitors.  More malware is targeted to Apple than ever before (partly because of those awful Java vulnerabilities), and Android is seeing more enterprise adoption -- and hack/malware targeting -- as well.

Anyway, I'm personally a Lotus fan.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
3/26/2014 | 7:10:53 PM
All eggs in one basket
That is what one gets from clinging to the Microsoft monoculture in the enterprise. If not everyone would run Exchange/Outlook/MS Office there would be less of a reason to target Microsoft products.
Indian-Art
50%
50%
Indian-Art,
User Rank: Apprentice
3/26/2014 | 1:27:26 PM
Thunderbird is safe
Time to take the free, safe, secure & feature-packed LibreOffice for a spin. Its truly multi-platform & takes just a few minutes to install.

Try it you have so much to gain: www.libreoffice.org/download

I think Thunderbird is safe as well.
codyhalter281
0%
100%
codyhalter281,
User Rank: Apprentice
3/25/2014 | 2:01:20 PM
Let See
just as Rebecca said I can't believe that you able to get paid $8327 in four weeks on the computer . site here>
>>>>>> w­w­­w­.­b­a­y­9­1­.­C­ℴ­M
David F. Carr
100%
0%
David F. Carr,
User Rank: Strategist
3/25/2014 | 12:59:29 PM
Email spam/AV protection for Outlook bug?
Are email filtering programs such as Postini and Barracuda scanning for this yet?
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
3/25/2014 | 11:20:05 AM
Email insecurity
Ugh.  Between this stuff and the NSA debacle, this makes me want to go back to smoke signals for communication.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6090
Published: 2015-04-27
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, and (3) IEGEditorCommands servlets in IBM Curam Social Program Management (SPM) 5.2 SP6 before EP6, 6.0 SP2 before EP26, 6.0.3 before 6.0.3.0 iFix8, 6.0.4 before 6.0.4.5 iFix...

CVE-2014-6092
Published: 2015-04-27
IBM Curam Social Program Management (SPM) 5.2 before SP6 EP6, 6.0 SP2 before EP26, 6.0.4 before 6.0.4.6, and 6.0.5 before 6.0.5.6 requires failed-login handling for web-service accounts to have the same lockout policy as for standard user accounts, which makes it easier for remote attackers to cause...

CVE-2015-0113
Published: 2015-04-27
The Jazz help system in IBM Rational Collaborative Lifecycle Management 4.0 through 5.0.2, Rational Quality Manager 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Team Concert 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Requirements Composer 4.0 through 4.0.7, Rational DOORS Next Generation...

CVE-2015-0174
Published: 2015-04-27
The SNMP implementation in IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.5 does not properly handle configuration data, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

CVE-2015-0175
Published: 2015-04-27
IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.5 does not properly implement authData elements, which allows remote authenticated users to gain privileges via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.