LAS VEGAS. There was a time when Microsoft Office documents were easily exploitable by attackers, and those days may be on the way back.
According to a pair of researcher presenting at the Black Hat conference today, Microsoft Office is still at risk, despite multiple security measure taken by Microsoft and others. Taiwanese researchers Sung-ting Tsai (who also goes by the name TT) and Ming-chieh Pan demoed multiple techniques to a live Black Hat audience as proof of concept that they could exploit documents and use them as delivery platforms for malware.
TT noted that document attachment are often used in Advanced Persistent Threat (APT) attacks since the exploit can be customized.
“If you have installed all Microsoft Office patches and there are no 0 day vulnerabilities, will it be safe to open a Word or Excel doucment?” TT asked the audience. ” The answer is no.”
The reason why the answer is no is because of hybrid document attack techniques. TT explained that in the hybrid document exploit a Flash file is embedded in Excel or Word document.
TT explained that Microsoft’s DEP (Data Execution Prevention) can potentially be disabled via a malicious Flash file. That said, he noted that DEP and ASLR (Address Space Layout Randomization) in Microsoft Windows does give attack writers a headache.
TT also noted that Microsoft has released EMET (Enhanced Mitigation Experience Toolkit) which also makes it harder to exploit Office files. But that doesn’t mean they still can’t get around those protections.
TT explained that with advanced fuzzing techniques, researchers are finding new Flash vulnerabilities that can then be leveraged in hybrid attacks agains Office files.
Adobe has also recently strengthened Flash with sandboxing capabilities to limit the ability of potential rogue processes. TT explained that with Flash sandboxing the basic idea is that if you can access the network then you cannot access local files. And if you have local access then the Flash object will be restricted for network access.
There is a way to get around the Flash sandboxing that TT demonstrated. He explained that it is possible to use an mms:// link that will trigger Windows to open IE, which in turn will cause Windows Media Player to open. Using that simple workaround, TT said that an attacker could create an attack that might be able to steal user’s cookies, passwords or other information.
As a caveat, he showed that the attack worked easily in IE 7. With IE 8 and 9, users get a dialogue box that first asked for access. TT added that he could likely create a false dialogue box to trick users to click okay.
In terms of mitigating against APT document attacks, TT said that signature based anti-virus doesn’t work. He suggest that IPS (intrusion prevention systems) could help to mitigate risk.
TT then proceed to demonstrate how some IPS systems could be defeated in order to enable the hybrid document attacks.
“We believe attackers are working hard on these topics,” TT said. “We wish security vendors will work on solutions to come out ahead of the attackers.”