LAS VEGAS. There was a time when Microsoft Office documents were easily exploitable by attackers, and those days may be on the way back. According to a pair of researcher presenting at the Black Hat conference today, Microsoft Office is still at risk, despite multiple security measure taken by Microsoft and others. Taiwanese researchers Sung-ting […]
Datamation content and product recommendations are
editorially independent. We may make money when you click on links
to our partners.
Learn More
LAS VEGAS. There was a time when Microsoft Office documents were easily exploitable by attackers, and those days may be on the way back.
According to a pair of researcher presenting at the Black Hat conference today, Microsoft Office is still at risk, despite multiple security measure taken by Microsoft and others. Taiwanese researchers Sung-ting Tsai (who also goes by the name TT) and Ming-chieh Pan demoed multiple techniques to a live Black Hat audience as proof of concept that they could exploit documents and use them as delivery platforms for malware.
TT noted that document attachment are often used in Advanced Persistent Threat (APT) attacks since the exploit can be customized.
“If you have installed all Microsoft Office patches and there are no 0 day vulnerabilities, will it be safe to open a Word or Excel doucment?” TT asked the audience. ” The answer is no.”
The reason why the answer is no is because of hybrid document attack techniques. TT explained that in the hybrid document exploit a Flash file is embedded in Excel or Word document.
TT explained that Microsoft’s DEP (Data Execution Prevention) can potentially be disabled via a malicious Flash file. That said, he noted that DEP and ASLR (Address Space Layout Randomization) in Microsoft Windows does give attack writers a headache.
TT also noted that Microsoft has released EMET (Enhanced Mitigation Experience Toolkit) which also makes it harder to exploit Office files. But that doesn’t mean they still can’t get around those protections.
TT explained that with advanced fuzzing techniques, researchers are finding new Flash vulnerabilities that can then be leveraged in hybrid attacks agains Office files.
Adobe has also recently strengthened Flash with sandboxing capabilities to limit the ability of potential rogue processes. TT explained that with Flash sandboxing the basic idea is that if you can access the network then you cannot access local files. And if you have local access then the Flash object will be restricted for network access.
There is a way to get around the Flash sandboxing that TT demonstrated. He explained that it is possible to use an mms:// link that will trigger Windows to open IE, which in turn will cause Windows Media Player to open. Using that simple workaround, TT said that an attacker could create an attack that might be able to steal user’s cookies, passwords or other information.
As a caveat, he showed that the attack worked easily in IE 7. With IE 8 and 9, users get a dialogue box that first asked for access. TT added that he could likely create a false dialogue box to trick users to click okay.
In terms of mitigating against APT document attacks, TT said that signature based anti-virus doesn’t work. He suggest that IPS (intrusion prevention systems) could help to mitigate risk.
TT then proceed to demonstrate how some IPS systems could be defeated in order to enable the hybrid document attacks.
“We believe attackers are working hard on these topics,” TT said. “We wish security vendors will work on solutions to come out ahead of the attackers.”
Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.
-
Huawei’s AI Update: Things Are Moving Faster Than We Think
FEATURE | By Rob Enderle,
December 04, 2020
-
Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 18, 2020
-
Key Trends in Chatbots and RPA
FEATURE | By Guest Author,
November 10, 2020
-
Top 10 AIOps Companies
FEATURE | By Samuel Greengard,
November 05, 2020
-
What is Text Analysis?
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 02, 2020
-
How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 29, 2020
-
Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 23, 2020
-
The Super Moderator, or How IBM Project Debater Could Save Social Media
FEATURE | By Rob Enderle,
October 16, 2020
-
Top 10 Chatbot Platforms
FEATURE | By Cynthia Harvey,
October 07, 2020
-
Finding a Career Path in AI
ARTIFICIAL INTELLIGENCE | By Guest Author,
October 05, 2020
-
CIOs Discuss the Promise of AI and Data Science
FEATURE | By Guest Author,
September 25, 2020
-
Microsoft Is Building An AI Product That Could Predict The Future
FEATURE | By Rob Enderle,
September 25, 2020
-
Top 10 Machine Learning Companies 2020
FEATURE | By Cynthia Harvey,
September 22, 2020
-
NVIDIA and ARM: Massively Changing The AI Landscape
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
September 18, 2020
-
Continuous Intelligence: Expert Discussion [Video and Podcast]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 14, 2020
-
Artificial Intelligence: Governance and Ethics [Video]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 13, 2020
-
IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI
FEATURE | By Rob Enderle,
September 11, 2020
-
Artificial Intelligence: Perception vs. Reality
FEATURE | By James Maguire,
September 09, 2020
-
Anticipating The Coming Wave Of AI Enhanced PCs
FEATURE | By Rob Enderle,
September 05, 2020
-
The Critical Nature Of IBM’s NLP (Natural Language Processing) Effort
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
August 14, 2020
SEE ALL
ARTICLES