Vulnerabilities / Threats
3/25/2014
10:04 AM
Connect Directly
RSS
E-Mail
100%
0%

Outlook Users Face Zero-Day Attack

Simply previewing maliciously crafted RTF documents in Outlook triggers exploit of bug present in Windows and Mac versions of Word, Microsoft warns.

Windows 8.1 Update 1: 10 Key Changes
Windows 8.1 Update 1: 10 Key Changes
(Click image for larger view and slideshow.)

There is a new zero-day attack campaign that's using malicious RTF documents to exploit vulnerable Outlook users on Windows and Mac OS X systems, even if the emailed documents are only previewed.

That warning was sounded Monday by Microsoft, which said that it's seen "limited, targeted attacks" in the wild that exploit a newly discovered Microsoft Word RTF file format parser flaw, which can be used to corrupt system memory and execute arbitrary attack code.

"An attacker who successfully exploited this vulnerability could gain the same user rights as the current user," said a Microsoft's security advisory. "If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

[Are you prepared for the end of Windows XP support? Read Windows XP: Feds Brace For End Of Support.]

The only related in-the-wild exploits of the flaw (CVE-2014-1761) seen to date have targeted Microsoft Word 2010. But the vulnerability is present in multiple Windows versions of Word (2003, 2007, 2010, 2013), Word Automation Services on Microsoft SharePoint Server (2010 and 2013), and Microsoft Office Web Apps (2010 and Server 2013). In addition, the bug is also present in Microsoft Office for Mac 2011.

While the vulnerability technically exists in Word, it's being exploited when Word is set to be the email viewer for Outlook, which is the typical setup. "By default, Microsoft Word is the email reader in Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013," according to Microsoft.

How can Outlook and Word users mitigate the vulnerability? Microsoft has detailed multiple workarounds -- all temporary -- pending its release of security patches. One workaround is an automated "Fix It" tool for Microsoft Word (2010, 2013) and Office (2003, 2007), which will "disable RTF as a supported format in Microsoft Office," Wolfgang Kandek, CTO of Qualys, said via email. An Active Directory Group Policy can also be set to block RTF files for affected versions of Word.

(Image: Elliot Brown)
(Image: Elliot Brown)

Outlook can also be set to read in plaintext all "standard" emails -- meaning messages that aren't digitally signed or encrypted -- which will block related attacks. According to Microsoft, using plaintext strips the "junk tags" used by attackers from RTF documents. It said attackers have also included a secondary attack that bypasses address space layout randomization (ASLR) and then uses return-oriented programming (ROP) to execute shell code, which installs a backdoor onto the affected system, and "phones home" to a command-and-control server via encrypted SSL traffic.

Microsoft said its Enhanced Mitigation Experience Toolkit (EMET), when installed on a system and configured to work with Microsoft Office, also appears to block related attacks. "Our tests showed that EMET default configuration can block the exploits seen in the wild," according to a Microsoft Security Research and Defense blog post written by Microsoft engineers Chengyun Chu and Elia Florio. "In this case, EMET's mitigations such as 'Mandatory ASLR' and anti-ROP features effectively stop the exploit."

Multiple security experts have warned that anyone using the vulnerable Microsoft software should tap one or more of the mitigation techniques, since the bug will likely soon be exploited on a much more wide-scale basis.

If news of the RTF vulnerability creates a sense of déjà vu, that's because attacks involving maliciously crafted documents that could exploit systems just when previewed used to be a more common occurrence.

"This isn't, of course, the first time that malware has been able to infect computers just by emails being read -- as opposed to links being clicked on, or attachments opened," said Graham Cluley, an independent security researcher, in a blog post. "Readers with long memories may remember the BubbleBoy and Kakworm attacks, for instance. Kakworm became particularly widespread at the tail end of the 1990s, exploiting a security hole in Microsoft Outlook Express to spread."

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Strategist
3/25/2014 | 11:20:05 AM
Email insecurity
Ugh.  Between this stuff and the NSA debacle, this makes me want to go back to smoke signals for communication.
David F. Carr
100%
0%
David F. Carr,
User Rank: Apprentice
3/25/2014 | 12:59:29 PM
Email spam/AV protection for Outlook bug?
Are email filtering programs such as Postini and Barracuda scanning for this yet?
codyhalter281
0%
100%
codyhalter281,
User Rank: Apprentice
3/25/2014 | 2:01:20 PM
Let See
just as Rebecca said I can't believe that you able to get paid $8327 in four weeks on the computer . site here>
>>>>>> w­w­­w­.­b­a­y­9­1­.­C­ℴ­M
Indian-Art
50%
50%
Indian-Art,
User Rank: Apprentice
3/26/2014 | 1:27:26 PM
Thunderbird is safe
Time to take the free, safe, secure & feature-packed LibreOffice for a spin. Its truly multi-platform & takes just a few minutes to install.

Try it you have so much to gain: www.libreoffice.org/download

I think Thunderbird is safe as well.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
3/26/2014 | 7:10:53 PM
All eggs in one basket
That is what one gets from clinging to the Microsoft monoculture in the enterprise. If not everyone would run Exchange/Outlook/MS Office there would be less of a reason to target Microsoft products.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Strategist
3/26/2014 | 8:49:06 PM
Re: All eggs in one basket
TBH, I don't think it's much of a "Microsoft monoculture" anymore.  Apple has made SIGNIFICANT headway in the enterprise, as have other competitors.  More malware is targeted to Apple than ever before (partly because of those awful Java vulnerabilities), and Android is seeing more enterprise adoption -- and hack/malware targeting -- as well.

Anyway, I'm personally a Lotus fan.
J_Brandt
50%
50%
J_Brandt,
User Rank: Apprentice
3/31/2014 | 11:46:07 PM
Re: All eggs in one basket
Microsoft is only the target because of its market share.  If you're going to write an exploit, you want it to have the greatest effect possible.  Also the larger the install base the more the curve of skills and patching.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.