Booby-trapped Word documents in the wild exploit critical Microsoft 0day

Topic

New Reply

The exploit appears in a Word doc attached to an email message. When you open the doc, it has an embedded link that retrieves an executable HTML file
[See the full post at: Booby-trapped Word documents in the wild exploit critical Microsoft 0day]

2 users thanked author for this post.

Jonesy, satrow

Reply | Quote

Replies

Hmm, Script Defender might provide protection from this as it intercepts several scripting calls, including .hta. I don’t know whether it will install/work on W8 > 10 though.

http://www.analogx.com/contents/download/System/sdefend/Freeware.htm

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Does this exploit require VB/VBA to fire? From what I read it does not appear to affect Macs so I assume it requires some Windows dlls to run.

Reply | Quote

It’s an HTML Application, probably IE (maybe Edge)-only, .hta: https://msdn.microsoft.com/en-us/library/ms536496%28v=vs.85%29.aspx though I haven’t studied (nor am I qualified to) the internals of this exploit.

2 users thanked author for this post.

lurks about, Noel Carboni

Reply | Quote

Thank you for the link. I did a CRTL+F search for ActiveX and this is what I garnered.

The trusted status of HTAs also extends to all operations subject to security zone options. In short, zone security is off. Consequently, HTAs run embedded Microsoft ActiveX controls and Java applets irrespective of the zone security setting on the client machine. No warning displays before such objects are run within an HTA. HTAs run outside of the Internet Explorer process, and therefore are not subject to the security restrictions imposed by Protected Mode when run on Windows Vista.

I’m wondering if only disallowing ActiveX would mitigate the HTA’s payload.

Reply | Quote

The FireEye post contains this sentence: “The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file.”  Does this mean that if one opens a Word file not in MS Word, programs such as WordPerfect or Open Office, the malicious code will not execute?

Reply | Quote

I think the .hta file would directly trigger IE to run it as ‘just’ another executable, thus my earlier reply suggesting Script Defender to intercept this and other rare scripting calls. I’m unsure whether a more basic MS, or a non-MS .doc handling would also allow an hta component to be passed on to IE.

If the .doc software was disallowed from accessing the Internet, that might also be a workaround.

Reply | Quote

Thanks for the reply, I’ve installed Scripts Defender, everybody if you do this, read the install notes because there is a certain thing one has to do to properly remove SD.  Here’s my question: Do I have to put SD in the Windows Startup folder and keep it running for full protection?  I imagine I could also just launch it when I receive a Word Document as well.  Again, thanks.

1 user thanked author for this post.

Reply | Quote

Once installed it adds the redirects and can be closed, it doesn’t need to be run at every boot, it becomes passive.

Use the test.vbs (or create a dummy .hta) and check it’s working.

Reply | Quote

Yes, thanks so much. A test.vbs file does launch Script Defender (SD), but, as you are assuming a fact not in evidence, I am not a dummy :), if SD indicates there is a script, one either bugs out of the Word file or one aborts running the VBS when prompted by SD, right? Once again, thanks.

Reply | Quote

If a file type set to be intercepted by SD is launched, SD will leap into action, as you have witnessed. If the interception is unexpected, it should be aborted, at least until you’ve had time to figure out how/what launched the script.

There are very few softwares/installers that use the default intercepted script types (I only have one, rarely updated) but your software usage is probably very different to mine.

What can be a nuisance is where WinPatrol is also installed, on installation of SD it will intercept the change in default handler for (most? of) those file types, so just allow the changes.

Obviously, if you do use a lot of those script types, say *.vbs, SD can also become something of a nuisance but I feel those few extra seconds clicking away the SD popup are worth the extra feedback and potential data/monetary security.

Reply | Quote

Many thanks, once again. Funny you should mention WinPatrol, I do use it, but allowed SD to make the changes, so SD did what it should do when I ran a test.vbs file.

Also for everybody, there does not appear to be a Protected View option for versions of Word before Word 2010: https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653 .

1 user thanked author for this post.

SueW

Reply | Quote

Deleting the .hta file association for IE might work also, but it is nice to know that the AnalogX software still is effective.

Reply | Quote

The HTA host program is labeled as being a part of IE 11 in the program version information. I thought that turning off IE 11 would delete all of the files with a such a warning that it might break the system (and a help link that provides no explanation to boot). 🙁

Reply | Quote

winword.exe issues a HTTP request to a remote server …

I’d be interested in knowing specifically what web site it contacts; I probably already have it blacklisted, but if not it would certainly be a good site to add to the lists. Unfortunately, in all the “for public” releases that information has been redacted.

All these “news” releases appear to seek to sell users security software rather than to inform the public of threat specifics so they can protect against it directly.

Also, several sites mention using “Protected View”, but I didn’t note any specific instructions for ensuring Office “Trust Center” settings are proper (e.g., File – Options, choose Trust Center, etc.)

-Noel

3 users thanked author for this post.

Elly, samak, satrow

Reply | Quote

The main artical has a link to “What is Protected View”, perhaps it was added after your comment.

I want to change my Protected View settings

We advise speaking with your administrator before you make changes to your Protected View settings.

Click File > Options.

Click Trust Center > Trust Center Settings > Protected View.

Make selections that you want.

1 user thanked author for this post.

samak

Reply | Quote

I’d be interested in knowing specifically what web site it contacts

Yeah, what’s up with that? Go to the McAfee link and email them Noel and sent them your Post as a resume, and pursuade them to give up the IP. YOU CAN DO IT~~

Topic: A Description of My Quite Effective Security Environment (Long) @ AskWoody

Reply | Quote

This is what I see in the LibreOffice security settings.

Reply | Quote

Part of my security strategy involves denying all applications access to the LAN and the WAN –  a local software firewall (part of a 2-nd layer of protection) displays an ask/deny  dialog for anything trying to execute in or out communication .  I would venture that I’m protected from this threat because the firewall would block Word from fetching the malicious URL; yes, no?

However, if Word used any comm routines involving “svchost” before opening its GUI, then obviously I’m screwed because I allow svchost full access at all times.  But I’ve never seen any MS Office app behave this way, ever!  I only use Office 2003 & 2007, never will use 360 or any other cloud based office version.

Reply | Quote

Look at this again John,

The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file. Because .hta is executable, the attacker gains full code execution on the victim’s machine. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft. The following is a part of the communications we captured:

Yet at the bottom of the post they say that MS’s own Protected View (software based) will mitigate the payload by running/opening the file in a “restricted mode.”

Trust Center contains security & privacy settings

 

I don’t have a version of Office that incorpoates Protected View. Yet I have looked into MalewareBytes Anti-Exploit’s Advance Settings as seen in this review and see simalary terminology. So I think (and have seen it block web traffic) I’ll rest better. Plus I’m not exactly Zero-Day target material anywho.

Reply | Quote

Noel Carboni wrote:

All these “news” releases appear to seek to sell users security software rather than to inform the public of threat specifics so they can protect against it directly.

Yup.  Saw this comment in the FireEye article…

“The vulnerability is bypassing most mitigations; however, as noted above, FireEye email and network products detect the malicious documents.”

 

1 user thanked author for this post.

Reply | Quote

anonymous wrote:

Look at this again John,

I don’t have a version of Office that incorpoates Protected View. Yet I have looked into MalewareBytes Anti-Exploit’s Advance Settings as seen in this review and see simalary terminology. So I think (and have seen it block web traffic) I’ll rest better. Plus I’m not exactly Zero-Day target material anywho.

FYI, MalwareBytes Anti-Exploit is now part of Malwarebytes 3.0 Premium.  It is available as a 14 day free trial, that reverts to a free version malware scanner without real-time protection.

https://www.malwarebytes.com/antiexploit/

Reply | Quote

Probably not so obvious from my write-up: Zero-days as juicy as this one are often the work of nation-states, so people like you and me don’t need to get too worked up. (Unless you’re providing high security support to a military organization.)

But as soon as the details are published, malware script manufacturers run around trying to replicate the infection scenario, all the better to sell the latest to script kiddies.

That’s why “responsible disclosure” really matters.

2 users thanked author for this post.

lizzytish, Jonesy

Reply | Quote

A patch is expected tomorrow as part of Patch Tuesday (see last sentence): http://www.zdnet.com/article/hackers-are-attacking-word-users-with-new-microsoft-office-zero-day-vulnerability/?loc=newsletter_large_thumb_featured&ftag=TRE17cfd61&bhid=20703193368173122880888901483479

1 user thanked author for this post.

walker

Reply | Quote

So Vess (er, Dr. Bontchev) is right. Doesn’t surprise me. He’s always right. 🙂

Reply | Quote

A workaround is documented at Microsoft OLE2Link object improperly handles remotely-linked WebDAV data.

Reply | Quote

Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day

Reply | Quote

A tweet from the person who purportedly originally discovered this vulnerability:

“the vulnerability I discovered is exploited through Office, but that does not necessarily mean it is isolated to Office”

Given the description of the vulnerability, I agree.

2 users thanked author for this post.

Jonesy

Reply | Quote

Fixed in these updates:

Office 2016: https://support.microsoft.com/en-us/help/3178703/description-of-the-security-update-for-office-2016-april-11-2017

Office 2013: https://support.microsoft.com/en-us/help/3178710/description-of-the-security-update-for-office-2013-april-11-2017

Office 2010: https://support.microsoft.com/en-us/help/3141538/description-of-the-security-update-for-office-2010-april-11-2017

Office 2007: https://support.microsoft.com/en-us/help/3141529/description-of-the-security-update-for-2007-microsoft-office-suite-apr

Reply | Quote

CVE-2017-0199 | Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API

Note: There are patches for Windows in addition to Office.

Reply | Quote

Filtered
CVE-2017-0199

04/11/2017 4014793 Windows Vista Service Pack 2
04/11/2017 4014793 Windows Server 2008 for 32-bit Systems Service Pack 2
04/11/2017 4015549 Windows Server 2008 R2 for x64-based Systems Service Pack 1
04/11/2017 4014793 Windows Server 2008 for x64-based Systems Service Pack 2
04/11/2017 4014793 Windows Server 2008 for Itanium-Based Systems Service Pack 2
04/11/2017 4015549 Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
04/11/2017 4015551 Windows Server 2012
04/11/2017 4014793 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
04/11/2017 4014793 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
04/11/2017 4015549 Windows 7 for x64-based Systems Service Pack 1
04/11/2017 4015551 Windows Server 2012 (Server Core installation)
04/11/2017 4015549 Windows 7 for 32-bit Systems Service Pack 1
04/11/2017 4015549 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
04/11/2017 4014793 Windows Vista x64 Edition Service Pack 2
04/11/2017 3178710 Microsoft Office 2013 Service Pack 1 (64-bit editions)
04/11/2017 3178710 Microsoft Office 2013 Service Pack 1 (32-bit editions)
04/11/2017 3141529 Microsoft Office 2007 Service Pack 3
04/11/2017 3178703 Microsoft Office 2016 (32-bit edition)
04/11/2017 3141538 Microsoft Office 2010 Service Pack 2 (32-bit editions)
04/11/2017 3141538 Microsoft Office 2010 Service Pack 2 (64-bit editions)
04/11/2017 3178703 Microsoft Office 2016 (64-bit edition)

1 user thanked author for this post.

Jonesy

Reply | Quote

CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler

Reply | Quote

An important detail from CVE-2017-0199 | Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API:

“The update addresses the vulnerability by correcting the way that Microsoft Office and WordPad parses specially crafted files, and by enabling API functionality in Windows that Microsoft Office and WordPad will leverage to resolve the identified issue.”

It seems that both the Windows and an Office update are needed to make Office invulnerable to this vulnerability.

Reply | Quote

It seems my previous statement is likely correct. Operating systems before Windows 7 have a separate Windows update Security update for the Microsoft Office remote code execution vulnerability: April 11, 2017 that updates file ole32.dll and some other operating system files. Windows 7 and 8.1 have similar changes in the monthly rollups and security-only updates.

Reply | Quote

MBAE 1.09 – Latest standalone BETA
1.09.1.1384 4/12/2017

https://forums.malwarebytes.com/topic/184939-mbae-109-latest-standalone-beta/?do=findComment&comment=1116935

New Features:
• Hardened and more secure API hooking framework
• Added self-protection mechanisms
• Added sandbox technique for Silverlight
• Added Layer3 techniques against Macro exploits
• Added Layer3 techniques against social engineering exploits
• Added Java advanced configuration options for companies
• Added dynamic configuration feature to manage conflicts
• Added support for MS Play Ready
• Changed balloon notification to off by default
• Remove Run entry during uninstallation

Fixes:
• Fixed conflict with Symantec DLP
• Fixed conflict with Chinese banking software
• Fixed conflict with Sophos AV
• Fixed Edge browser crashes on Windows Insider Preview builds
• Fixed MS Office application crashes with MBAE
• Fixed conflict with McAfee HIPS
• Fixed false positives with Java Protection Technique
• Fixed a logging issue for critical errors
• Fixed service restart issues

Direct Download

Reply | Quote

Crikey.

I don’t have Office X, just the Win7Pro 64 SP1 OS. I use OpenOffice 4.1.3 and Foxit PDF. When Dell and local Mr Fixit Computer Guy insist on turning on WU to Auto and installing the March patches without clearing it with me first, I feel like it’s you and me against the world.

Based on all the checking I’ve been doing this week, I think, I could be wrong, but I think I’m ok, despite getting a .doc from tcm.com with a return USPS label for some bad Adam-12. It has been decades since anyone has done that to me.

Just for that, they won’t get my MST3K The Joel Years order. The Mike Years will see me later.

Many thanks to Woody and all his compatriots for ramrodding this patch drive. Extra brews are due ye.

Still Learning

Reply | Quote

Did Microsoft Drop the Ball on the Word Zero-Day Flaw?

Reply | Quote

Forgive me if this question seems dumb, but why in the name of all things holy would these companies even operate under a system as dumb as “make the bug known, and if no fix comes in 60 days we’ll post the exploit in public where hackers can use it.”

Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
A weatherman that can code

Reply | Quote

McAfee screwed up:

As to why the company published the blog post four days prior to Patch Tuesday, McAfee attributed it to a “glitch.”
“We had a glitch in our communications with our partner Microsoft that impacted a coordinated response to these attacks, which is being corrected,” writes Vincent Weafer, vice president of McAfee Labs. “We have nothing more to say at this time.”

http://www.bankinfosecurity.com/blogs/did-microsoft-drop-ball-on-word-zero-day-flaw-p-2448

Windows 11 Pro version 22H2 build 22621.1483 + Microsoft 365 + Edge

1 user thanked author for this post.

woody

Reply | Quote

Your desperation to defend Windows (in particular, Windows10) led you to not even coming close to answering my question.

Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
A weatherman that can code

Reply | Quote

AlexN wrote:

Your desperation to defend Windows (in particular, Windows10) led you to not even coming close to answering my question.

I answered your question completely and exactly, and it had nothing whatsoever to do with Windows 10.

Windows 11 Pro version 22H2 build 22621.1483 + Microsoft 365 + Edge

Reply | Quote

Was anyone able to test whether or not EMET protected against this?
The Ars article mentioned not knowing whether EMET did protect against it, but I see no confirmation either way.
I figure since many of us here are more stringent on ‘how’ we test, maybe someone’s covered that.
Just curious – TIA. 🙂

Reply | Quote

When I tested, I didn’t test against EMET, but I highly doubt EMET would help in this case.

Reply | Quote

Has this been patched yet?

1 user thanked author for this post.

Reply | Quote

Yes, in the April 2017 patches. You very likely (in my opinion) need both the relevant Office patch and the April 2017 Windows update to fix this issue for Office.

Reply | Quote

CVE-2017-0199 Demo (video)

Reply | Quote

Thanks for posting a demonstration video link.

1 user thanked author for this post.

MrBrian

Reply | Quote

From CVE-2017-0199 | Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API:

“[Version] 1.1     21-Apr-2017     Corrected severity entries for Microsoft Office products. This is an informational change only. Customers who have successfully installed the update do not need to take any further action.”

Reply | Quote

From Hackers exploited Word flaw for months while Microsoft investigated:

“To understand why it is so difficult to defend computers from even moderately capable hackers, consider the case of the security flaw officially known as CVE-2017-0199.

The bug was unusually dangerous but of a common genre: it was in Microsoft software, could allow a hacker to seize control of a personal computer with little trace, and was fixed April 11 in Microsoft’s regular monthly security update.

But it had traveled a rocky, nine-month journey from discovery to resolution, which cyber security experts say is an unusually long time. “

Reply | Quote

From An Inside Look at CVE-2017-0199 – HTA and Scriptlet File Handler Vulnerability (June 4, 2017):

“FortiGuard Labs recently came across a new strain of samples exploiting the CVE-2017-0199 vulnerability. This vulnerability was fixed by Microsoft and the patch was released in April 2017. Due to its simplicity, it can be easily exploited by attackers. It has also been found in-the-wild by other vendors. We have also blogged about some samples recently found in spear phishing attack.”

2 users thanked author for this post.

Kirsty, woody

Reply | Quote

CVE-2017-0199 is listed as a “top 10” issue at McAfee’s Threat Landscape Dashboard (in both the Threats and Vulnerabilities tabs)

Reply | Quote