BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Microsoft Word Zeroday – Set to expire?

Posted March 25, 2014    BeyondTrust Research Team

Researchers at Google have notified Microsoft of a new Word zeroday vulnerability. This attack is currently being leveraged in the wild to target systems running Microsoft Word 2010. The attack can be successful simply by a user opening a maliciously crafted RTF file within Microsoft Word.

The full extent of the breaches caused by this zeroday vulnerability is unknown, but Microsoft has provided some information about the exploit payload and subsequent malware itself. The exploit is sophisticated enough to be able to bypass some built-in operating system security protections, such as ASLR. But even more interesting is the fact that the logic of the exploit will look to see if a system has had any new Microsoft patches installed after April 8, 2014 and if so, it will not install its secondary malware payload. April 8th, 2014 is of course next month’s Patch Tuesday.

If the exploit is successful, it will copy a piece of malware to the affected users %temp% folder and then also enable the malware to start on the next system reboot by adding a registry entry to the current users RunOnce registry key. Neither of these two locations require Administrative rights to prevent the malware from successfully embedding in a system. However, least-privilege environments, such as those leveraging PowerBroker, can still help limit the future efforts of attackers in this case.

For example, if your employees are running with local Administrator privileges, as soon as an attacker successfully leverages this Word vulnerability, they could execute privileged commands, such as dumping all user account password hashes present on a system. An attacker could then leverage these account credentials to move laterally through your environment. On the flip side, however, if you are properly implementing a least-privilege environment where users are running as standard user accounts, then performing privileged functions, such as password dumps, would be prevented and only possible if the attackers employed a secondary privilege escalation exploit. In this particular attack, we have not witnessed the attackers using any secondary privilege escalation exploits to gain more privileges.

We have added an entry into our ZeroDay Tracker for this vulnerability, so check back as we will be updating it with any new information:
http://www.eeye.com/resources/security-center/research/zero-day-tracker/2014/20140324

Also, for customers leveraging PowerBroker for Windows in their environments, you can secondarily create a specific rule to block the malicious file hashes that are known so far:
MD5: af63f1dc3bb37e54209139bd7a3680b1
SHA1: 77ec5d22e64c17473290fb05ec5125b7a7e02828

For customers leveraging Retina for Vulnerability Management, you can use the following Retina Audits to detect vulnerable versions of Word:
33352 – Microsoft Office Remote Code Execution (2953095) (Zero-Day) – Windows
33353 – Microsoft Office Remote Code Execution (2953095) (Zero-Day) – Mac OS X

Check back to our blog for any updates as we learn any new information.

Further reading:
Microsoft Advisory – http://technet.microsoft.com/en-us/security/advisory/2953095
Microsoft Technical Blog – http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx
CVE Entry – http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1761

Tags:
, ,

Leave a Reply

Additional articles

PowerBroker Password Safe Password Age Report

Reshaping Privileged Password Management with Password Safe 5.2

Posted July 21, 2014    Martin Cannard

Today, we’re pleased to unveil the latest edition of our privileged password management solution, PowerBroker Password Safe. I’ll start with a brief intro of what’s new and then tell you a little about the driving factors behind Password Safe development. New features for mitigating password risk and ensuring accountability enterprise-wide Here’s the 10,000-foot overview of…

Tags:
, , ,
PowerBroker for Windows tamper protection

PowerBroker for Windows 6.6 Tamper Protection

Posted July 18, 2014    Morey Haber

I have a bone to pick: Stopping an administrator from performing an action on a system is futile endeavor. As an administrator, there is always a way to circumvent a solution’s from tampered protection. Really! By default, Windows administrators have unrestricted access to the system – and even though an application, hardened configuration, or group policy…

Tags:
, ,
PowerBroker for Windows can be configured to automatically identify the end user’s language preference

Implementing Least Privilege Around the World with PowerBroker for Windows

Posted July 17, 2014    Morey Haber

BeyondTrust recognizes that international, multilingual businesses have unique operating challenges, especially when it comes to implementing enterprise software. PowerBroker for Windows is a least-privilege solution often deployed across thousands of systems spanning multiple geographies and protecting users of diverse backgrounds. Earlier this year, PowerBroker for Windows introduces new data privacy features for EMEA and APAC,…

Tags:
, ,