My next class:

New Microsoft Advisory: Unpatched Word Flaw used in Targeted Attacks

Published: 2014-03-24. Last Updated: 2014-03-24 19:43:23 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Microsoft today published a new security bulletin, announcing that it has seen a new Word 2010 exploit used in recent targeted attacks. The exploit uses a so far unpatched vulnerability in Word that is triggered by opening a crafted RTF document.

To prevent exploitation of the vulnerability, Microsoft released a "Fix It" that will prevent Word from opening RTF documents. [1][2] 

Frequently RTF ("Rich Text Format") is used as a more portable way to exchange documents with basic formatting elements. The Fix-It may not be appropriate if you use RTF documents regularly. However, given that RTF documents are portable and can be opened by other software, it MAY be ok to just use software other then word to open the document.

This vulnerability is identified by CVE-2014-1761.

More details about the exploit can be found in Microsoft's "Security Research and Defense Blog" [3]. It points out that EMET can help block the exploit if the "Mandatory ASLR" and the "Anti-ROP" features are selected. This may be of help if you can't stop opening RTFs altogether. Word 2013 appears vulnerable, but the exploit fails due to ASLR and "just" crashes Word 2013. 

The blog post also includes indicators of compromise for the particular exploit seen.

 

[1] https://technet.microsoft.com/en-us/security/advisory/2953095
[2] https://support.microsoft.com/kb/2953095
[3] http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

1 comment(s)
My next class:

Comments

The Microsoft Fix-It for this issue appears to work by setting registry keys for the current user. If you try to roll it out with most automated tools you may only be mitigating the problem for the administrative login that runs the Fix-It and not the end users.

The registry entries involved and their settings are

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock key RtfFiles value 2

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Security\FileBlock key OpenInProtectedView value 0

Diary Archives