Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/13/2019
02:39 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Researchers Dig into Microsoft Office Functionality Flaws

An ongoing study investigating security bugs in Microsoft Office has so far led to two security patches.

Microsoft Office, ubiquitous on enterprise and personal computers, is a hot target for cybercriminals and a key focus area for researchers hoping to find bugs before the bad guys do.

Stan Hegt and Pieter Ceelen, both security researchers and red teamers with security firm Outflank B.V., have been exploring a range of attack techniques that abuse Microsoft Office features. Their previous research, shown at DerbyCon 2018, demonstrated how abusing legacy functionality (a macro language that predates VBA, for example) bypasses security controls.

Outflank B.V. is a small, specialized security firm focused on red teaming, Hegt explained in an interview with Dark Reading. During most engagements, they attempt to remotely compromise workstations. Remote entry is among the toughest attacker methods, says Hegt. "It forces us to innovate, but we don't see that much innovation in this respect, in the wild."

Early findings prompted them to analyze flaws within the functionalities embedded into the Office suite. And since DerbyCon, the duo has continued to research Office and uncover new security holes.

"To dive into Microsoft Office, there's so much to go into," says Hegt. "When we dove in with the purpose of DerbyCon, we noticed there were many points to go left or right with additional research. Every path led to more cool stuff we could present to the world."

As part of their ongoing research, Hegt and Ceelen found "at least two things that were not according to spec" - and resulted in two vulnerabilities being recently patched by Microsoft. One CVE uses the old feature of fields in Microsoft Word, in combination with macro buttons (no VBA required) to steal the contents of any file on disk. Another CVE uses fields in combination with templates and headers to build phishing documents without the use of macros.

"There are plenty of new defenses being built into Microsoft Office, but there are so many archaic features," Heft continues. "Many times, those archaic features can be exploited to evade or abuse modern defenses."

Both bugs the team discovered can be exploited to steal information; one steals files, the other goes after credentials. Further, they say, both combine legacy features in ways that likely weren't foreseen. The researchers note their analysis shows that the kind of Office malware currently seen in the wild is "just the tip of the iceberg" of what's possible in Office threats.

At Black Hat Asia, coming up March 26-29 in Singapore, Hegt and Ceelen will take the stage to present their talk "Office in Wonderland," in which they will disclose details on new Word and Excel vulnerabilities, release attack vectors which Microsoft deemed Office features, and demonstrate the security impact of the architectural design of the full Office suite.

Getting Bugged Down

As part of its January Patch Tuesday release, Microsoft issued CVE-2019-0561, a Microsoft Word information disclosure vulnerability discovered as part of Hegt and Ceelen's research. The flaw exists when Word macro buttons are improperly used, and a successful attacker could target the vulnerability to read arbitrary files from a targeted system, according to Microsoft.

To exploit CVE-2019-0561, an attacker would have to create a malicious file and convince the user to open it. They would have to know the location of the file whose data they want to steal. Microsoft's patch for CVE-2019-0561 addresses the vulnerability by changing the way some Word functions handle security warnings.

Microsoft's February Patch Tuesday release yesterday included CVE-2019-0540, addressing another bug discovered by Hegt and Ceelen. This is a Microsoft Office security feature bypass flaw that exists when Office doesn't validate URLs. Attackers can send victims specially crafted files to trick them into entering credentials and perform a phishing attack.

"A lot of organizations rely on username and password combinations," says Ceelen. "As an attacker it's very much in interest to go collect usernames and passwords." This bug lets attackers send plain docs without any macros, and it will alert the target with a pop-up to enter their credentials. "We slowly see bad guys abusing these techniques," he continues.

The patch addresses the vulnerability by ensuring Office properly validates URLs. While Ceelen points to an attacker focus on Word and Excel, given they have the longest history, he notes Microsoft has upped its patching game. "We see them making steps in all directions," Ceelen says.

Both CVE-2019-0561 and CVE-2019-0540 were classified as Important in severity by Microsoft. Neither was publicly known or exploited in the wild prior to the release of their patches.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
2/22/2019 | 1:18:27 PM
Word Perfect 4.2 for DOS
Still a good word processor and DOS now very secure. LOL
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1619
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session ...
CVE-2019-1620
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could ex...
CVE-2019-1621
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device. The vulnerability is due to incorrect permissions settings on affected DCNM software. An attacker...
CVE-2019-1622
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software...
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.