Hackers are exploiting a previously unknown vulnerability in Microsoft Windows and Office software that allows computers to be infected with malware, the company warned in advisories published Tuesday.
The advanced exploit arrives in a booby-trapped Word document attached to e-mails, Elia Florio of the Microsoft Security Response Center wrote on Tuesday. The attacks are narrowly targeted at certain individuals or companies and are mostly found in the Middle East and South Asia. The malicious document exploits a vulnerability in Microsoft's graphics device interface that makes it possible for attackers to remotely execute any code of their choice.
"If the attachment is opened or previewed, it attempts to exploit the vulnerability using a malformed graphics image embedded in the document," Dustin Childs, group manager in the Microsoft Trustworthy Computing group wrote in a separate advisory. "An attacker who successfully exploited the vulnerability could gain the same user rights as the logged on user." A third advisory is here.
Microsoft has issued a temporary fix that people can install and use until a permanent patch is available. While it doesn't repair the root cause of the vulnerability, the temporary measure blocks rendering of the graphic format that triggers the bug. Other temporary measures available to Windows and Office users are modifying the Windows registry to prevent TIFF image files from being displayed or installing version 4.0 of EMET, short for the Enhanced Mitigation Experience Toolkit.
The vulnerability affects Microsoft Windows Vista and Windows Server 2008, Microsoft Office 2003 through 2010, and all supported versions of Microsoft Lync. The way Office 2010 renders graphics makes it vulnerable only when running on older platforms such as Windows XP or Windows Server 2003. Office 2010 isn't affected when running on version 7, 8, and 8.1 of Windows.
Florio said the exploit payload uses advanced techniques to bypass protections that Microsoft engineers added to later versions of Windows to make them more resistant to code-execution attacks.
"In order to achieve code execution, the exploit combines multiple techniques to bypass DEP and ASLR protections," Florio wrote, referring to the data execution prevention and address space layout randomization exploit mitigations. "Specifically, the exploit code performs a large memory heap-spray using ActiveX controls (instead of the usual scripting) and uses hardcoded ROP gadgets to allocate executable pages. This also means the exploit will fail on machines hardened to block ActiveX controls embedded in Office documents (e.g. Protected View mode used by Office 2010) or on computers equipped with a different version of the module used to build the static ROP gadgets."
ROP refers to return oriented programming, a technique that helps bypass DEP by arranging code already found in the application in a way that allows it to become malicious. Once Windows, Office, or Lync programs process the maliciously designed TIFF files, system memory is corrupted in a way that allows the attacker to execute arbitrary code. Microsoft credited Haifei Li of McAfee Labs' IPS Team for reporting the graphics vulnerability.
Haifei Li said the exploit technique is novel.
"It is worth to note that this heap-spraying in Office via ActiveX objects is a new exploitation trick which we didn’t see before," Li wrote in a separate blog post. "Previously attackers usually chose Flash Player to spray memory in Office. We would believe the new trick was developed under the background that Adobe introduced a click-to-play feature in Flash Player months ago, which basically killed the old one. This is another proof that attacking technique always tries to evolve when old ones don’t work anymore."
The good news out of these advisories is that the attacks observed so far are extremely targeted,
as opposed to the kinds of drive-by exploits that occasionally flare up on compromised websites. Also encouraging is that only a small portion of the Microsoft ecosystem is susceptible. That said, it's possible the attacks are more widespread than reported since it's not uncommon for initial advisories to miss some activity. Readers who use software listed as potentially vulnerable would do well to install the temporary fix and to stay apprised of the latest developments in this attack.
as opposed to the kinds of drive-by exploits that occasionally flare up on compromised websites. Also encouraging is that only a small portion of the Microsoft ecosystem is susceptible. That said, it's possible the attacks are more widespread than reported since it's not uncommon for initial advisories to miss some activity. Readers who use software listed as potentially vulnerable would do well to install the temporary fix and to stay apprised of the latest developments in this attack.
0 comments:
Post a Comment