Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/20/2010
03:43 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Emergency IE Patch Coming Thursday; Microsoft Warns Office Apps Can Also Be Used In Attacks

Security update covers attacks using IE, Office apps

Microsoft today said its anticipated emergency patch for the Internet Explorer flaw abused in the targeted attacks on Google and other organizations will be issued tomorrow, and it turns out IE isn't the only attack vector -- several Microsoft Office applications can also be used to wage an attack.

"We are also aware that the vulnerability can be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file. Customers would have to open a malicious file to be at risk of exploitation," said Jerry Bryant, senior security program manager for Microsoft, in a blog post today.

Bryant said users should disable ActiveX Controls in Microsoft Office to prevent attacks coming via these files. Because these applications make calls to mshtml.dll and have active scripting enabled by default, the flaw in IE could be exploited via these apps even though the IE vulnerability isn't actually in the apps. Microsoft says applying the new patch will address this problem, as well.

Experts with knowledge of the wave of targeted attacks out of China said last week that some infected Office documents, including Excel spreadsheets, had been used to lure users within the victim companies to open what appeared to be files from people they knew. Once the files were open, they ran the exploit that gave attackers a backdoor into the victim organizations.

Microsoft relayed the latest information on the patch and attack vectors today via an advanced notification on tomorrow's MS10-002 out-of-band update, a vulnerability it rates as "critical." The software giant says while there has been an uptick in these attacks, so far they have been limited, and the "only successful attacks have been against Internet Explorer 6."

The emergency patch covers all versions of IE. The heat was on Microsoft this week as exploit code went public and researchers began retooling the code to work with newer versions of IE, including IE 8 and even bypassing Microsoft's Data Execution Prevention (DEP) security feature -- a measure that Microsoft had said would mitigate the attack. VUPEN Security revealed it was able to fashion the exploit to bypass DEP on IE 8, rendering DEP useless against the attack, while renowned researcher Dino Dai Zovi wrote an exploit that works on IE 6 and IE 7 on XP, as well as IE 7 on Vista -- with browsers that don't have DEP enabled.

Chaouki Bekrar, CTO of VUPEN Security, says his team was able to bypass DEP on IE 8 and execute arbitrary code; it has sent its exploit code to Microsoft for review.

Microsoft says while the DEP bypass exploit was provided to some antivirus, IDS, and IPS vendors and government CERT agencies, the company has not seen any attacks in the wild for this.

So far, Microsoft says it has seen "private" proof-of-concept (PoC) code exploiting IE 7 on XP, private PoC code exploiting IE 7 on Windows Vista without DEP, and limited commercial availability of PoC code exploiting IE 8 on XP. The software giant says it's not aware of any PoC code exploiting Windows Vista with DEP.

Microsoft's advisory also confirmed that Outlook, Outlook Express, and Windows Live Mail have a low risk of being used as attack vectors for this vulnerability, but that it hasn't seen any attacks being waged via those applications. "By default, Outlook, Outlook Express and Windows Live Mail open HTML e-mail messages in the Restricted sites zone, which helps mitigate attacks seeking to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used. Additionally, Outlook 2007 uses a different component to render HTML e-mail, removing the risk of the exploit," blogged Microsoft's Bryant.

Meanwhile, the Office attack method is basically an indirect way of calling the vulnerable IE code, says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. "As long as the system is unpatched, it's not enough just to toughen up IE: Office also needs to be hardened as it can call the same code without the restrictions imposed upon IE specifically," he says. "Since both IE and Office rely on the same files for certain functionality, patch the file, and the vulnerability is fixed systemwide."

And it's only a matter of time until attackers start going after IE 7 and IE 8, experts say. "Despite the fact that we've seen just limited attacks using this vulnerability, with exploit code public, there is no reason to think we won't see more attack attempts, said Joshua Talbot, security intelligence manager for Symantec Security Response, in a statement.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22152
PUBLISHED: 2021-05-13
A Denial of Service due to Improper Input Validation vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially to prevent any new user connections.
CVE-2021-22153
PUBLISHED: 2021-05-13
A Remote Code Execution vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially cause the spreadsheet application to run commands on the victim’s local machine with t...
CVE-2021-22154
PUBLISHED: 2021-05-13
An Information Disclosure vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially gain access to a victim's web history.
CVE-2021-20331
PUBLISHED: 2021-05-13
Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "i...
CVE-2021-31215
PUBLISHED: 2021-05-13
SchedMD Slurm before 20.02.7 and 20.03.x through 20.11.x before 20.11.7 allows remote code execution as SlurmUser because use of a PrologSlurmctld or EpilogSlurmctld script leads to environment mishandling.