• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   Newly Patched MS Word 0-Day Heuristically Detected by Deep Discovery

Newly Patched MS Word 0-Day Heuristically Detected by Deep Discovery

  • Posted on:April 14, 2014 at 8:44 am
  • Posted in:Exploits, Vulnerabilities
  • Author:
    Jack Tang (Threats Analyst)
0

In between the end of support for Windows XP and the Heartbleed OpenSLL vulnerability, one good bit of news may not have been noticed: the Microsoft Word zero-day vulnerability  (CVE-2014-1761) reported in late March was fixed.

We have since looked into this attack and found that the exploit was created by an attacker with some skill, resulting in what can only be described as a sophisticated exploit.

It’s quite fortunate that Microsoft was able to patch this vulnerability quickly, as its sophistication and the widespread use of Microsoft Word in enterprises meant that it would have been a highly tempting target for attackers to exploit. While this particular attack is no longer effective (as we will show later), we cannot rule out future attacks that will target the same vulnerability.

Basic Flow of the Exploit

This vulnerability is exploited when a user opens an RTF file in Microsoft Word, or previews/opens an RTF email in Outlook (using Word as the RTF viewer).

The basic flaw at the core of this vulnerability is an out-of-bounds array overwrite. After overwriting, the memory now contains a fake object whose virtual table pointer points to a fake virtual table which is controlled by RTF control words with specially set values chosen by the attacker. The attacker used opcode addresses which point to addresse ranges used by MSCOMCTL.OCX.

This particular executable is vulnerable to exploitation because it does not have address space layout randomization (ASLR) enabled; why this has been done is unknown. Carefully chosen portions of code (also known as ROP gadgets) from the above .OCX file are used to compose the first stage shellcode, which starts at the 0x40000000 memory address. The first stage shellcode finds the opened RTF file handle in the winword.exe process and maps the buffer into process space, which starts from the file offset 0xF004 and a length of 0x1000, to the process address 0x40002000. This makes up the second stage of shellcode.

The second set somewhat unusually checks the Windows Update log of the affected system. If it sees that patches have been applied on or after April 8 (the regular Patch Tuesday date), it stops running. Otherwise, it drops its payload (named svchost.exe) and runs it. This particular attack is no longer effective today because of the April 8 date check, but it would be trivial to use similar code without the date check, especially with samples out in the wild to provide guidance to unaware attackers.

In our analysis, we noticed that this particular sample crashes, but does not successfully exploit, older versions of Office 2010 without the latest updates installed as of late March (we found this using 14.0.4730.1010). Newer versions that were patched as of the discovery of the zero-day were successfully exploited.

The sample is also similar to exploits for CVE-2012-2539, which also use an invalid value for the RTF control word listoverridecount, like this exploit.

Solutions and Prevention

As we noted in our first post on this threat, even before the official Microsoft patch (described in MS14-017) was released, we were able to heuristically detect this particular threat via Deep Discovery using the ATSE (Advanced Threats Scan Engine) and prevent users from being affected. However, we still recommend that users apply this patch in order to ensure the security of their systems.

While other threats like those in online applications (such as browsers and plugins) or online services and protocols (like Heartbleed) may garner more attention, this threat is a reminder that more conventional threats – like exploits in RTF files – have not gone away. If anything, we’ve been observing RTFs used in several attacks recently, as carriers of CPL downloaders (here and here) and backdoors.

We cannot rule out the possibility that CVE-2014-1761 will continue to be a threat moving forward, especially since many users will forget to update their installed version of Microsoft Word. For these users, our heuristic detection will be able to help reduce the risks of these attacks.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: CVE-2014-1761ExploitMicrosoft WordMS Wordvulnerabilityzero day

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack
  • Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK
  • Patched GIF Processing Vulnerability CVE-2019-11932 Still Afflicts Multiple Mobile Apps
  • Mac Backdoor Linked to Lazarus Targets Korean Users

Popular Posts

  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.