Microsoft Office, ubiquitous on enterprise and personal computers, is a hot target for cybercriminals and a key focus area for researchers hoping to find bugs before the bad guys do.

Stan Hegt and Pieter Ceelen, both security researchers and red teamers with security firm Outflank B.V., have been exploring a range of attack techniques that abuse Microsoft Office features. Their previous research, shown at DerbyCon 2018, demonstrated how abusing legacy functionality (a macro language that predates VBA, for example) bypasses security controls.

Outflank B.V. is a small, specialized security firm focused on red teaming, Hegt explained in an interview with Dark Reading. During most engagements, they attempt to remotely compromise workstations. Remote entry is among the toughest attacker methods, says Hegt. "It forces us to innovate, but we don't see that much innovation in this respect, in the wild."

Early findings prompted them to analyze flaws within the functionalities embedded into the Office suite. And since DerbyCon, the duo has continued to research Office and uncover new security holes.

"To dive into Microsoft Office, there's so much to go into," says Hegt. "When we dove in with the purpose of DerbyCon, we noticed there were many points to go left or right with additional research. Every path led to more cool stuff we could present to the world."

As part of their ongoing research, Hegt and Ceelen found "at least two things that were not according to spec" - and resulted in two vulnerabilities being recently patched by Microsoft. One CVE uses the old feature of fields in Microsoft Word, in combination with macro buttons (no VBA required) to steal the contents of any file on disk. Another CVE uses fields in combination with templates and headers to build phishing documents without the use of macros.

"There are plenty of new defenses being built into Microsoft Office, but there are so many archaic features," Heft continues. "Many times, those archaic features can be exploited to evade or abuse modern defenses."

Both bugs the team discovered can be exploited to steal information; one steals files, the other goes after credentials. Further, they say, both combine legacy features in ways that likely weren't foreseen. The researchers note their analysis shows that the kind of Office malware currently seen in the wild is "just the tip of the iceberg" of what's possible in Office threats.

At Black Hat Asia, coming up March 26-29 in Singapore, Hegt and Ceelen will take the stage to present their talk "Office in Wonderland," in which they will disclose details on new Word and Excel vulnerabilities, release attack vectors which Microsoft deemed Office features, and demonstrate the security impact of the architectural design of the full Office suite.

Getting Bugged Down

As part of its January Patch Tuesday release, Microsoft issued CVE-2019-0561, a Microsoft Word information disclosure vulnerability discovered as part of Hegt and Ceelen's research. The flaw exists when Word macro buttons are improperly used, and a successful attacker could target the vulnerability to read arbitrary files from a targeted system, according to Microsoft.

To exploit CVE-2019-0561, an attacker would have to create a malicious file and convince the user to open it. They would have to know the location of the file whose data they want to steal. Microsoft's patch for CVE-2019-0561 addresses the vulnerability by changing the way some Word functions handle security warnings.

Microsoft's February Patch Tuesday release yesterday included CVE-2019-0540, addressing another bug discovered by Hegt and Ceelen. This is a Microsoft Office security feature bypass flaw that exists when Office doesn't validate URLs. Attackers can send victims specially crafted files to trick them into entering credentials and perform a phishing attack.

"A lot of organizations rely on username and password combinations," says Ceelen. "As an attacker it's very much in interest to go collect usernames and passwords." This bug lets attackers send plain docs without any macros, and it will alert the target with a pop-up to enter their credentials. "We slowly see bad guys abusing these techniques," he continues.

The patch addresses the vulnerability by ensuring Office properly validates URLs. While Ceelen points to an attacker focus on Word and Excel, given they have the longest history, he notes Microsoft has upped its patching game. "We see them making steps in all directions," Ceelen says.

Both CVE-2019-0561 and CVE-2019-0540 were classified as Important in severity by Microsoft. Neither was publicly known or exploited in the wild prior to the release of their patches.

Related Content:

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.