A recent zero-day exploit in Microsoft Windows and Office may have affected more users than previously thought. The loophole allows attackers to take over PCs via malicious Word document email attachments. After a machine is infected, it can be remotely controlled, as if the exploit’s perpetrators were logged on to it.
At first, the vulnerability appeared limited to high-profile targets in Asia and the Middle East, but subsequent research has revealed that it may have ties to the Citadel Trojan. Accordingly, its impact, especially on the financial sector, may be significant.
Moreover, the discovery and analysis of this threat suggests that the cybersecurity community is still adjusting its approach to zero-day vulnerabilities. Many attacks seem isolated at first but are actually elaborate schemes capable of compromising assets across a variety of populations.
As detection and precautionary solutions improve, researchers will ideally gain more insight into how the creators of these cutting-edge exploits often have major ambitions. Along the way, careful scrutiny of zero-day attacks will produce additional benefits, such as the early discovery of novel attack techniques that may presage broader change in cybercriminal tactics.
Windows/Office exploit manipulates ActiveX controls to install malware
The exploit came to light in early November, when Microsoft began warning users about a vulnerability that could be exploited via carefully constructed Word documents. Like a standard phishing campaign, the ensuing attack tempts users to click on a malicious email attachment disguised as a legitimate communication.
If the user interacts, the Word document goes to work bypassing address space layout randomization and data execution prevention protections. More specifically, it uses return oriented programming to rearrange existing application code in Windows and Office into a malicious configuration.
However, the most notable characteristic of the attack is that it specifically addresses ActiveX controls. Typically, Adobe Flash Player is the favored target in these types of attacks.
“Previously attackers usually chose Flash Player to spray memory in Office,” explained McAfee Labs’ Haifei Li. “We would believe the new trick was developed under the background that Adobe introduced a click-to-play feature in Flash Player months ago, which basically killed the old one. This is another proof that attacking technique always tries to evolve when old ones don’t work anymore.”
Exploit targets TIFF handling to set up communication with command-and-control server
The malicious attachments exploit a weakness in the the way that Windows and Office handle graphics, such as TIFFs, that are embedded in Office documents. In this regard, they take advantage of vulnerabilities that have long caused issued for PDF attachments.
Still, the use of Word files as vehicles for the malicious payload is interesting because it creates a distraction from what is occurring during the infection. Ultimately, the attackers can obtain unfettered access to the system and execute arbitrary commands.
Infection via Word document is only the first step in how the exploit works. After the system is compromised, a RAR file is downloaded that contains instructions for communicating with a command-and-control server.
This C&C server transmits several pieces of malware to the infected PC, including a keylogger and backdoor. Compromised machines are also at risk of having Office files stolen by attackers. Computers running Office 2003 or 2010, Windows Vista, Windows Server 2008 or any version of Lync are at risk, although Office 2010 users are likely safe if they are running the suite on Windows 7 or later.
Scope of vulnerability may be larger than first thought, with ties to Citadel Trojan
Despite the wide array of affected operating systems and applications, the exploit seemed limited in scope at first, with most C&C traffic directed at IPs in Pakistan. Similarly, Microsoft’s initial communications about the risk characterized it as a phenomenon mostly confined to the Middle East and Asia. It appeared to be a highly targeted campaign, possibly for purposes of corporate espionage.
However, the distinctive signatures of the Windows/Office exploit has shown up in the delivery of the Citadel Trojan, a malware strain that targets bank accounts. The TIFF vulnerability in some of Microsoft’s platforms was at the heart of a Citadel-based botnet being operated by a cybercrime syndicate alternately known as Ark or Arx.
The exploit’s usage in high-profile campaigns is perhaps unsurprising, since the most recent Windows/Office attacks may be the work of the same India-based group that was behind the Operation Hangover espionage campaign. As Ars Technica’s Dan Goodin explained, the scope and details of zero-day attacks are often difficult to accurately assess.
“It’s not uncommon for initial reports of an ongoing zero-day attack to understate its magnitude,” Goodin asserted. “Such understatements are largely unavoidable, since researchers are working with incomplete information that only increases in the days following their disclosure. That’s why it’s always a good idea to take reports like these seriously by following any available mitigation advice, even if users think that the likelihood they are vulnerable is low.”
Security patches, Windows updates the key to reducing risk from zero-day exploits
Defending against the current exploits, whether they tie into Citadel or other malware, is mostly a matter of implementing best practices for email security and staying on top of system security updates. Microsoft has already issued a patch for this vulnerability, and enterprises should be diligent about rolling it out to all vulnerable computers as soon as possible.
At the same time, these weaknesses may provide extra impetus for organizations to upgrade their IT assets to newer versions of Windows. Although Vista was never widely adopted by companies, the aging XP platform remains in widespread use and exposes users to risks that do not exist on Windows 7, 8 or 8.1. In addition to installing patches and using current cybersecurity software, updating Windows can be a huge step forward in reducing exposure from a wide range of attacks.
Zero-day risks are still prevalent, as demonstrated by the Windows/Office threat and recent vulnerabilities discovered in specific versions of Internet Explorer. In many cases, cybercriminals are taking advantage of outdated software that has remained in widespread use for several possible reasons, including cybersecurity negligence, budget constraints or logistical issues.
Either way, these recent TIFF exploits highlight the value of getting help when hardening IT systems against malware. Although initially frightening, many zero-day incidents can be addressed with existing protocols and solutions.