Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Microsoft Word Zeroday – Set to expire?

Posted March 25, 2014    BeyondTrust Research Team

Researchers at Google have notified Microsoft of a new Word zeroday vulnerability. This attack is currently being leveraged in the wild to target systems running Microsoft Word 2010. The attack can be successful simply by a user opening a maliciously crafted RTF file within Microsoft Word.

The full extent of the breaches caused by this zeroday vulnerability is unknown, but Microsoft has provided some information about the exploit payload and subsequent malware itself. The exploit is sophisticated enough to be able to bypass some built-in operating system security protections, such as ASLR. But even more interesting is the fact that the logic of the exploit will look to see if a system has had any new Microsoft patches installed after April 8, 2014 and if so, it will not install its secondary malware payload. April 8th, 2014 is of course next month’s Patch Tuesday.

If the exploit is successful, it will copy a piece of malware to the affected users %temp% folder and then also enable the malware to start on the next system reboot by adding a registry entry to the current users RunOnce registry key. Neither of these two locations require Administrative rights to prevent the malware from successfully embedding in a system. However, least-privilege environments, such as those leveraging PowerBroker, can still help limit the future efforts of attackers in this case.

For example, if your employees are running with local Administrator privileges, as soon as an attacker successfully leverages this Word vulnerability, they could execute privileged commands, such as dumping all user account password hashes present on a system. An attacker could then leverage these account credentials to move laterally through your environment. On the flip side, however, if you are properly implementing a least-privilege environment where users are running as standard user accounts, then performing privileged functions, such as password dumps, would be prevented and only possible if the attackers employed a secondary privilege escalation exploit. In this particular attack, we have not witnessed the attackers using any secondary privilege escalation exploits to gain more privileges.

We have added an entry into our ZeroDay Tracker for this vulnerability, so check back as we will be updating it with any new information:

Also, for customers leveraging PowerBroker for Windows in their environments, you can secondarily create a specific rule to block the malicious file hashes that are known so far:
MD5: af63f1dc3bb37e54209139bd7a3680b1
SHA1: 77ec5d22e64c17473290fb05ec5125b7a7e02828

For customers leveraging Retina for Vulnerability Management, you can use the following Retina Audits to detect vulnerable versions of Word:
33352 – Microsoft Office Remote Code Execution (2953095) (Zero-Day) – Windows
33353 – Microsoft Office Remote Code Execution (2953095) (Zero-Day) – Mac OS X

Check back to our blog for any updates as we learn any new information.

Further reading:
Microsoft Advisory –
Microsoft Technical Blog –
CVE Entry –

, ,

Leave a Reply

Additional articles


Answering the age-old question, ‘What’s plugged into my network?’

Posted October 9, 2015    Alejandro DaCosta

“What’s plugged into my network?” is a question I hear frequently from security administrators. And, really, it’s no surprise why. No longer do we have to account just for the physical servers in our datacenters, workstations and a few network devices. Now we need to keep track of roaming laptops, dynamic virtual systems, off-site cloud deployments and BYOD.


Closing the Vulnerability Gap

Posted October 7, 2015    Brian Chappell

Managing vulnerabilities is a significant challenge for many organizations. The main difficulties with managing this manifest in two key areas. The first is that the list isn’t static. The second is priority.


Scottrade Breach: Identified by Federal Officials

Posted October 5, 2015    Morey Haber

Late afternoon on October 2nd, news leaked out of another large security breach, now at Scottrade. The identity count of records, in the millions again (4.6 million is the latest). This breach comes on the second day of national CyberSecurity month, the first being Experian/T-Mobile breach.