Vulnerabilities / Threats
3/25/2014
10:04 AM
Connect Directly
RSS
E-Mail
100%
0%

Outlook Users Face Zero-Day Attack

Simply previewing maliciously crafted RTF documents in Outlook triggers exploit of bug present in Windows and Mac versions of Word, Microsoft warns.

Windows 8.1 Update 1: 10 Key Changes
Windows 8.1 Update 1: 10 Key Changes
(Click image for larger view and slideshow.)

There is a new zero-day attack campaign that's using malicious RTF documents to exploit vulnerable Outlook users on Windows and Mac OS X systems, even if the emailed documents are only previewed.

That warning was sounded Monday by Microsoft, which said that it's seen "limited, targeted attacks" in the wild that exploit a newly discovered Microsoft Word RTF file format parser flaw, which can be used to corrupt system memory and execute arbitrary attack code.

"An attacker who successfully exploited this vulnerability could gain the same user rights as the current user," said a Microsoft's security advisory. "If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

[Are you prepared for the end of Windows XP support? Read Windows XP: Feds Brace For End Of Support.]

The only related in-the-wild exploits of the flaw (CVE-2014-1761) seen to date have targeted Microsoft Word 2010. But the vulnerability is present in multiple Windows versions of Word (2003, 2007, 2010, 2013), Word Automation Services on Microsoft SharePoint Server (2010 and 2013), and Microsoft Office Web Apps (2010 and Server 2013). In addition, the bug is also present in Microsoft Office for Mac 2011.

While the vulnerability technically exists in Word, it's being exploited when Word is set to be the email viewer for Outlook, which is the typical setup. "By default, Microsoft Word is the email reader in Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013," according to Microsoft.

How can Outlook and Word users mitigate the vulnerability? Microsoft has detailed multiple workarounds -- all temporary -- pending its release of security patches. One workaround is an automated "Fix It" tool for Microsoft Word (2010, 2013) and Office (2003, 2007), which will "disable RTF as a supported format in Microsoft Office," Wolfgang Kandek, CTO of Qualys, said via email. An Active Directory Group Policy can also be set to block RTF files for affected versions of Word.

(Image: Elliot Brown)
(Image: Elliot Brown)

Outlook can also be set to read in plaintext all "standard" emails -- meaning messages that aren't digitally signed or encrypted -- which will block related attacks. According to Microsoft, using plaintext strips the "junk tags" used by attackers from RTF documents. It said attackers have also included a secondary attack that bypasses address space layout randomization (ASLR) and then uses return-oriented programming (ROP) to execute shell code, which installs a backdoor onto the affected system, and "phones home" to a command-and-control server via encrypted SSL traffic.

Microsoft said its Enhanced Mitigation Experience Toolkit (EMET), when installed on a system and configured to work with Microsoft Office, also appears to block related attacks. "Our tests showed that EMET default configuration can block the exploits seen in the wild," according to a Microsoft Security Research and Defense blog post written by Microsoft engineers Chengyun Chu and Elia Florio. "In this case, EMET's mitigations such as 'Mandatory ASLR' and anti-ROP features effectively stop the exploit."

Multiple security experts have warned that anyone using the vulnerable Microsoft software should tap one or more of the mitigation techniques, since the bug will likely soon be exploited on a much more wide-scale basis.

If news of the RTF vulnerability creates a sense of déjà vu, that's because attacks involving maliciously crafted documents that could exploit systems just when previewed used to be a more common occurrence.

"This isn't, of course, the first time that malware has been able to infect computers just by emails being read -- as opposed to links being clicked on, or attachments opened," said Graham Cluley, an independent security researcher, in a blog post. "Readers with long memories may remember the BubbleBoy and Kakworm attacks, for instance. Kakworm became particularly widespread at the tail end of the 1990s, exploiting a security hole in Microsoft Outlook Express to spread."

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Strategist
3/25/2014 | 11:20:05 AM
Email insecurity
Ugh.  Between this stuff and the NSA debacle, this makes me want to go back to smoke signals for communication.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
3/26/2014 | 7:10:53 PM
All eggs in one basket
That is what one gets from clinging to the Microsoft monoculture in the enterprise. If not everyone would run Exchange/Outlook/MS Office there would be less of a reason to target Microsoft products.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Strategist
3/26/2014 | 8:49:06 PM
Re: All eggs in one basket
TBH, I don't think it's much of a "Microsoft monoculture" anymore.  Apple has made SIGNIFICANT headway in the enterprise, as have other competitors.  More malware is targeted to Apple than ever before (partly because of those awful Java vulnerabilities), and Android is seeing more enterprise adoption -- and hack/malware targeting -- as well.

Anyway, I'm personally a Lotus fan.
J_Brandt
50%
50%
J_Brandt,
User Rank: Apprentice
3/31/2014 | 11:46:07 PM
Re: All eggs in one basket
Microsoft is only the target because of its market share.  If you're going to write an exploit, you want it to have the greatest effect possible.  Also the larger the install base the more the curve of skills and patching.
David F. Carr
100%
0%
David F. Carr,
User Rank: Apprentice
3/25/2014 | 12:59:29 PM
Email spam/AV protection for Outlook bug?
Are email filtering programs such as Postini and Barracuda scanning for this yet?
codyhalter281
0%
100%
codyhalter281,
User Rank: Apprentice
3/25/2014 | 2:01:20 PM
Let See
just as Rebecca said I can't believe that you able to get paid $8327 in four weeks on the computer . site here>
>>>>>> w­w­­w­.­b­a­y­9­1­.­C­ℴ­M
Indian-Art
50%
50%
Indian-Art,
User Rank: Apprentice
3/26/2014 | 1:27:26 PM
Thunderbird is safe
Time to take the free, safe, secure & feature-packed LibreOffice for a spin. Its truly multi-platform & takes just a few minutes to install.

Try it you have so much to gain: www.libreoffice.org/download

I think Thunderbird is safe as well.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.