SAN FRANCISCO – A previously unknown bug in Microsoft Office has been spotted being actively exploited in the wild; it can be used to bypass security solutions and sandboxes, according to findings released at the RSA Conference 2019.
The bug exists in the OLE file format and the way it’s handled in Microsoft Word, said researchers from Mimecast. They noted that the OLE32.dll library incorrectly handles integer overflows.
Microsoft told the researchers that patching the problem is on the back burner.
The flaw allows attackers to hide exploits in weaponized Word documents in a way that won’t trigger most antivirus solutions, the researchers said. In a recent spam campaign observed by Mimecast, attached Word attachments contained a hidden exploit for an older vulnerability in Microsoft Equation Editor (CVE-2017-11882). On unpatched systems, the exploit unfolded to drop a new variant of Java JACKSBOT, a remote access backdoor that infects its target only if Java is installed.
JACKSBOT is capable of taking complete control of the compromised system. It has full-service espionage capabilities, including the ability to collect keystrokes; steal cached passwords and grab data from web forms; take screenshots; take pictures and record video from a webcam; record sound from the microphone; transfer files; collect general system and user information; steal keys for cryptocurrency wallets; manage SMS for Android devices; and steal VPN certificates.
“The thing that stands out for me is that the attackers behind this were keen on using the Equation exploit, probably because they found it more reliable than others, and they then worked out on a bypass to allow this go through undetected,” Meni Farjon, chief scientist for advanced threat detection at Mimecast, told Threatpost. “This process of chaining these two, a code-execution exploit and a flaw which leads to a bypass is somewhat unique and we don’t see many of these in data-format exploits.”
The Flaw in Depth
An Object Linking and Embedding (OLE) Compound File essentially acts as an underlying file system for information and objects present in a Microsoft Word document. It contains streams of data that are treated like individual files embedded within the OLE file itself. Each stream has a name (for example, the top-level stream of a document is straightforwardly named “WordDocument). Streams can also contain information on macros in the document and the metadata of a document (i.e., title, author, creation date, etc.).
Mimecast said that according to the format specifications for the Compound File Binary File Format, the OLE stream header contains a table called DIFAT, which is made up of an array of numbers that includes section IDs and some special numbers – it’s here that the problem resides.
“To access the sector N in the table, it’s offset computed using the following formula: sector size * (sector ID + 1), when sector ID is DIFAT[N],” the researchers explained in findings. “It seems that when a big sector ID exists, [this formula] leads to an integer-overflow that results in a relatively small offset. Because the result is more than 32 bits (integer overflow), only the lowest 32 bits will be the product when the code above performs the calculation. In other words, the calculated offset will be 0x200 = 512.”
Obviously 0X200 is not 512, so the system sees an impossible offset; this can lead it to crash or, at the very least, ignore the section, including any exploit that may be hiding there.
“This behavior is not documented by Microsoft, but it can confuse high-level parsers, which will not notice the overflow,” according to the research.
In the Wild
Mimecast researchers said that they’ve seen several attacks in the last few months that chain together the CVE-2017-11882 exploit with the OLE flaw, which has been successful, they said, in amplifying the attack to make it go undetected.
“Our systems were able to spot an attacker group, which seems to originate from Serbia, using specially crafted Microsoft Word documents…in a way which caused the attacks to circumvent many security solutions designed to protect data from infestation,” Mimecast said. The firm didn’t specify which security solutions they’re referring to.
“[With] this chaining of the older exploit with this integer overflow, Microsoft Office Word mishandles this error. It ignores the higher bytes of the OLE sector ID, loading the malicious object (CVE-2017-11882) into memory while not following the correct guidelines,” the researchers said.
Farjon told Threatpost that although the newly found issue is being used in the wild, “exploiting this is not an easy task, as it requires deep format understanding.” It’s the difficulty in execution that is likely behind Microsoft’s decision to not immediately patch the problem, he said.
Despite evidence that the flaw is being actively exploited to great effect in the wild, the Microsoft Security Response Center told Mimecast that it will not be fixing OLE with a security patch anytime soon, because the issue by itself does not result in memory corruption and thus doesn’t meet the security bar for an immediate fix.
“What Microsoft said is that they won’t be fixing it right now, but perhaps they will on a later undefined date,” Farjon told Threatpost.
He added, “They said it is an unintended behavior, but at the same time that it is not important enough to fix right now. Realistically, Microsoft needs to prioritize their work on patches, so their decision makes sense. That being said, it’s up to security professionals to make sure their systems are as up to date as possible and that they are leveraging the threat intelligence they need to better manage today’s evolving threats.”
The researcher also offered a bottom-line assessment: “Analyzing all possible outcomes of such flaw is a tough task,” he said. “Mimecast worked with the Microsoft Security Response Center and they did analyze all possible outcomes, and came to the conclusion that it didn’t result in memory corruption. So, while it may not be severe, having another tool for attackers to bypass security solutions is not a good thing.”
Threatpost reached out to the computing giant for comments on the findings, and received a short statement: “The bug submitted did not meet the severity bar for servicing via a security update,” said a Microsoft spokesperson.
Follow all of Threatpost’s RSA Conference 2019 coverage by visiting our special coverage section.