Office 2010 Immune To New Zero-Day Flash Attacks

Microsoft weighed in today on the new, targeted zero-day attacks revealed by Adobe this week that hide a Flash Player exploit inside Excel spreadsheet documents -- confirming that Office 2010 is safe from the attack due to built-in security mitigation features and offering stopgap protection measures for earlier versions of its software.

Adobe plans to issue a patch next week for the flaw, which affects Adobe Flash Player versions 10.2.152.33 and earlier. According to Microsoft's analysis of the exploit, the exploit loads shellcode into memory, executes heap-spraying, and then loads the Flash byte stream from memory to exploit the previously unknown CVE-2011-0609 flaw.

"Microsoft is aware of public reports of attacks using Adobe Flash Player. We encourage customers to review Adobe's advisory. Office 2010 users are not susceptible to the current attacks as they do not bypass Data Execution Prevention (DEP). Microsoft's Enhanced Mitigation Experience Toolkit (EMET) offers further mitigation for this vulnerability," says Jerry Bryant, group manager of response communications at Microsoft.

Users of earlier versions of Office should run Microsoft's EMET, which helps block targeted attacks exploiting unpatched vulnerabilities with mitigations for third-party apps and older Microsoft apps.

"The current attacks do not bypass the Data Execution Prevention security mitigation (DEP). Microsoft Office 2010 turns DEP on for the core Office applications, and this will also protect Flash Player when it is loaded inside an Office application. In addition to that, users of the 64 bit edition of Microsoft Office 2010 have even less exposure to the current attacks as the shellcode for all the exploits we've seen will only work on a 32 bit process. What's more, if an Office document originates from a known unsafe location such as email or the internet, Office 2010 will activate the Protected View feature," according to a new blog post by Microsoft's Andrew Roths and Chengyun Chu today.

In its analysis of the zero-day malware, Microsoft found a file that appears to have been used for fuzzing Flash files. "We suspect this vulnerability was found using fuzzing technology from clean Flash files, because we found a file on the Internet that looks like it might have been used for the fuzzing. Through differential analysis between the original clean file and the exploit file, we could confirm the vulnerability," blog says.

But the Flash-rigged Excel file highlights an underlying problem Microsoft has not directly addressed, security expert say: the fact that software vendors are packing products with excess functionality that only opens the door for abuse.

Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab, says the ability to embed Flash SWF files inside Excel documents really isn't necessary. "Web browsers all have plug-ins, and it's common practice to be able to disable plug-ins ... I don't want to see Flash files in Excel. Admins should be able to disable it," he says. "We as an industry are looking more at ways to reduce the attack surface."

But Microsoft's integration among its applications for productivity purposes makes sense, he says. "But Microsoft could look at the Adobe model ... allowing admins to blacklist the use of certain features within Reader," for example, Schouwenberg says. Complexity in software basically causes more security issues, he says.

It's all about reducing the attack surface, says Brad Arkin, senior director for product security and privacy at Adobe. "If you can reduce the attack surface, hopefully, fewer things will go wrong," Arkin says.

Meanwhile, Microsoft says there's also a workaround in Office 2007 to protect against the Flash attacks: Change the setting in the Trusted Center to "disable all controls without notification."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.