Endpoint Security , Governance & Risk Management , Open XDR

Zero-Day Attack Exploits Windows via Malicious Word Doc

Microsoft Patches Flaw, Warns It Could Be Exploited via Websites, Malvertising
Zero-Day Attack Exploits Windows via Malicious Word Doc

A bevy of newly revealed vulnerabilities in code from Microsoft and Adobe will require immediate fixing.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

Microsoft's May security bulletin includes fixes for 67 unique flaws in its software, of which 21 are rated critical, which often means they can be remotely exploited by attackers to execute arbitrary code on a vulnerable system. Of the rest of the flaws, 42 are rated as important while four are of low severity.

Vulnerable software includes Microsoft's Edge and Internet Explorer browsers, as well as its Office, Exchange and Outlook software.

One of the most critical flaws is a "use after free" vulnerability in the Windows VBScript engine that can be used to force Internet Explorer to load and to execute code.

The flaw, designated CVE-2018-8174. was first identified last month by researchers at Moscow-based security firm Kaspersky Lab and reported to Microsoft. It exists in Windows 7, Windows RT, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012 and Windows Server 2016.

"This exploit was found in the wild and was used by an APT actor," the Kaspersky Lab researchers say in a blog post.

As defined by Estonia's foreign international service, APT - short for advanced persistent threat - refers to "carefully targeted, long-term cyber operations in the course of which attackers combine multiple techniques to obtain the needed information about the target."

The Kaspersky Lab researchers say they found the flaw after the company's sandbox system automatically analyzed an exploit that someone uploaded to malware-scanning service VirusTotal on April 18. "This exploit was detected by several AV vendors including Kaspersky, specifically by our generic heuristic logic for some older Microsoft Word exploits," the researchers say.

The zero-day attack targeted victims via malicious Microsoft Word documents.

Attack Flow

Kaspersky Lab says such attacks would have proceeded accordingly:

  • The victim receives a malicious Microsoft Word document in RTF format that contains an OLE - "object linking & embedding" - object that uses a URL Moniker that will force Internet Explorer to remotely load a specified web page.
  • If the victim opens the malicious document, a second-stage exploit gets downloaded in the form of an HTML page that contains VBScript code.
  • The VBScript code triggers a use after free - a type of memory corruption - vulnerability to run shellcode.

"Despite a Word document being the initial attack vector, the vulnerability is actually in VBScript, not in Microsoft Word," Kaspersky Lab researchers say.

Warning: Patch Flaw Immediately

Security experts recommend all Windows users - individuals and businesses alike - patch this flaw as quickly as possible.

"This is the first time we've seen a URL Moniker used to load an IE exploit, and we believe this technique will be used heavily by malware authors in the future," Kaspersky Lab researchers say. "This technique allows one to load and render a web page using the IE engine, even if default browser on a victim's machine is set to something different."

Microsoft, in a Tuesday security advisory, warned that the flaw could also be exploited via a malicious or compromised website.

"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website," Microsoft warns.

The attack exploit could also be targeted via malicious advertisements, or malvertising (see Online Advertising: Hackers' Little Helper).

"The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements," Microsoft says. "These websites could contain specially crafted content that could exploit the vulnerability."

Microsoft says it was alerted to the flaw both by Kaspersky Lab as well as researchers from Chinese security firm Qihoo 360 Core Security.

Attackers Exploit Win32k Flaw

Also on Tuesday, Microsoft patched a privilege elevation vulnerability in Win32k, a critical system file built into Windows. The bug, designated as CVE-2018-8120, is being exploited in the wild. It allows attackers to run arbitrary code in kernel mode, meaning they could fully compromise any vulnerable system, install malware and steal all data.

"To exploit this vulnerability, an attacker would first have to log on to the system," according to Microsoft's security advisory. "An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system."

The flaw was discovered and reported to it by Anton Cherepanov, a senior malware researcher at ESET, Microsoft says.

The fix issued Tuesday updates vulnerable operating systems and versions. They include both 32-bit and 64-bit versions of Windows 7 and Windows Server 2008. "The update addresses this vulnerability by correcting how Win32k handles objects in memory," Microsoft says.

More Patches: Hyper-V, Kernel, Azure IoT Device Library

Also on Tuesday, Microsoft issued an update for its Windows Server virtualization platform, Hyper-V. It fixes CVE-2018-0961, which could be used to abuse vSMB packets so that an attacker who already had access to an instance of the virtual machine could "run a specially crafted application that could cause the Hyper-V host operating system to execute arbitrary code," it says.

In addition, it fixed CVE-2018-0959, which an attacker could exploit via a guest operating system on Hyper-V, again to execute arbitrary code.

Two other fixes of note include Microsoft's patch for a privilege-escalation vulnerability in the Windows kernel that could be abused by a local attacker. The flaw in Windows 10 and Windows Server, designated CVE-2018-8170, had been publicly reported but has not yet been seen in in-the-wild attacks.

Also, Microsoft has fixed a spoofing vulnerability in its Azure IoT Device Provisioning AMQP Transport library. "An attacker who successfully exploited this vulnerability could impersonate a server used during the provisioning process," according to Microsoft's security alert. "To exploit this vulnerability, an attacker would need to perform a man-in-the-middle (MitM) attack on the network that provisioning was taking place."

Critical Flash Fix

Microsoft's Tuesday security alert also references fixes from Adobe. On Tuesday, Adobe released updates for its Flash Player, running on Windows, Macintosh, Linux and Chrome OS, to fix a "type confusion" flaw that attackers could exploit to execute arbitrary code on a system.

Adobe credits discovery of the "critical" flaw, designated CVE-2018-4944, to Jihui Lu of security research group Tencent KeenLab (see 2016 Resolution: Ditch Flash).

Start Here

Where to start? "Microsoft recommends first fixing CVE-2018-8174, then to focus on all browser updates, and then turn your attention to Hyper-V," says Gill Langston, director of product management at Qualys, in a blog post.

First, however, some organizations may need to update their version of Windows to ensure they're still getting the latest cumulative and security updates.

Last month, Microsoft warned that that it would no longer be supporting Windows 10 version 1607, aka the "Anniversary Update," which was first introduced in August 2016, or older versions of the OS. Business users can continue to receive security-only updates for six months, Microsoft says, or organizations can pay for pricey extended-support contracts.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.