"We are also aware that the vulnerability can be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file. Customers would have to open a malicious file to be at risk of exploitation," said Jerry Bryant, senior security program manager for Microsoft, in a blog post today.
Bryant said users should disable ActiveX Controls in Microsoft Office to prevent attacks coming via these files. Because these applications make calls to mshtml.dll and have active scripting enabled by default, the flaw in IE could be exploited via these apps even though the IE vulnerability isn't actually in the apps. Microsoft says applying the new patch will address this problem, as well.
Experts with knowledge of the wave of targeted attacks out of China said last week that some infected Office documents, including Excel spreadsheets, had been used to lure users within the victim companies to open what appeared to be files from people they knew. Once the files were open, they ran the exploit that gave attackers a backdoor into the victim organizations.
Microsoft relayed the latest information on the patch and attack vectors today via an advanced notification on tomorrow's MS10-002 out-of-band update, a vulnerability it rates as "critical." The software giant says while there has been an uptick in these attacks, so far they have been limited, and the "only successful attacks have been against Internet Explorer 6."
The emergency patch covers all versions of IE. The heat was on Microsoft this week as exploit code went public and researchers began retooling the code to work with newer versions of IE, including IE 8 and even bypassing Microsoft's Data Execution Prevention (DEP) security feature -- a measure that Microsoft had said would mitigate the attack. VUPEN Security revealed it was able to fashion the exploit to bypass DEP on IE 8, rendering DEP useless against the attack, while renowned researcher Dino Dai Zovi wrote an exploit that works on IE 6 and IE 7 on XP, as well as IE 7 on Vista -- with browsers that don't have DEP enabled.
Chaouki Bekrar, CTO of VUPEN Security, says his team was able to bypass DEP on IE 8 and execute arbitrary code; it has sent its exploit code to Microsoft for review.
Microsoft says while the DEP bypass exploit was provided to some antivirus, IDS, and IPS vendors and government CERT agencies, the company has not seen any attacks in the wild for this.
So far, Microsoft says it has seen "private" proof-of-concept (PoC) code exploiting IE 7 on XP, private PoC code exploiting IE 7 on Windows Vista without DEP, and limited commercial availability of PoC code exploiting IE 8 on XP. The software giant says it's not aware of any PoC code exploiting Windows Vista with DEP.
Microsoft's advisory also confirmed that Outlook, Outlook Express, and Windows Live Mail have a low risk of being used as attack vectors for this vulnerability, but that it hasn't seen any attacks being waged via those applications. "By default, Outlook, Outlook Express and Windows Live Mail open HTML e-mail messages in the Restricted sites zone, which helps mitigate attacks seeking to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used. Additionally, Outlook 2007 uses a different component to render HTML e-mail, removing the risk of the exploit," blogged Microsoft's Bryant.
Meanwhile, the Office attack method is basically an indirect way of calling the vulnerable IE code, says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. "As long as the system is unpatched, it's not enough just to toughen up IE: Office also needs to be hardened as it can call the same code without the restrictions imposed upon IE specifically," he says. "Since both IE and Office rely on the same files for certain functionality, patch the file, and the vulnerability is fixed systemwide."
And it's only a matter of time until attackers start going after IE 7 and IE 8, experts say. "Despite the fact that we've seen just limited attacks using this vulnerability, with exploit code public, there is no reason to think we won't see more attack attempts, said Joshua Talbot, security intelligence manager for Symantec Security Response, in a statement.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.