BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Microsoft Word Zeroday – Set to expire?

Posted March 25, 2014    BeyondTrust Research Team

Researchers at Google have notified Microsoft of a new Word zeroday vulnerability. This attack is currently being leveraged in the wild to target systems running Microsoft Word 2010. The attack can be successful simply by a user opening a maliciously crafted RTF file within Microsoft Word.

The full extent of the breaches caused by this zeroday vulnerability is unknown, but Microsoft has provided some information about the exploit payload and subsequent malware itself. The exploit is sophisticated enough to be able to bypass some built-in operating system security protections, such as ASLR. But even more interesting is the fact that the logic of the exploit will look to see if a system has had any new Microsoft patches installed after April 8, 2014 and if so, it will not install its secondary malware payload. April 8th, 2014 is of course next month’s Patch Tuesday.

If the exploit is successful, it will copy a piece of malware to the affected users %temp% folder and then also enable the malware to start on the next system reboot by adding a registry entry to the current users RunOnce registry key. Neither of these two locations require Administrative rights to prevent the malware from successfully embedding in a system. However, least-privilege environments, such as those leveraging PowerBroker, can still help limit the future efforts of attackers in this case.

For example, if your employees are running with local Administrator privileges, as soon as an attacker successfully leverages this Word vulnerability, they could execute privileged commands, such as dumping all user account password hashes present on a system. An attacker could then leverage these account credentials to move laterally through your environment. On the flip side, however, if you are properly implementing a least-privilege environment where users are running as standard user accounts, then performing privileged functions, such as password dumps, would be prevented and only possible if the attackers employed a secondary privilege escalation exploit. In this particular attack, we have not witnessed the attackers using any secondary privilege escalation exploits to gain more privileges.

We have added an entry into our ZeroDay Tracker for this vulnerability, so check back as we will be updating it with any new information:
http://www.eeye.com/resources/security-center/research/zero-day-tracker/2014/20140324

Also, for customers leveraging PowerBroker for Windows in their environments, you can secondarily create a specific rule to block the malicious file hashes that are known so far:
MD5: af63f1dc3bb37e54209139bd7a3680b1
SHA1: 77ec5d22e64c17473290fb05ec5125b7a7e02828

For customers leveraging Retina for Vulnerability Management, you can use the following Retina Audits to detect vulnerable versions of Word:
33352 – Microsoft Office Remote Code Execution (2953095) (Zero-Day) – Windows
33353 – Microsoft Office Remote Code Execution (2953095) (Zero-Day) – Mac OS X

Check back to our blog for any updates as we learn any new information.

Further reading:
Microsoft Advisory – http://technet.microsoft.com/en-us/security/advisory/2953095
Microsoft Technical Blog – http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx
CVE Entry – http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1761

Tags:
, ,

Leave a Reply

Additional articles

Dark Reading

2014: The Year of Privilege Vulnerabilities

Posted December 18, 2014    Chris Burd

Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of “least privilege” could limit the impact of malware and raise the bar of difficulty for attackers.

Tags:
, , , , ,
dave-shackleford-headshot

Looking back on information security in 2014

Posted December 16, 2014    Dave Shackleford

Dave Shackleford is a SANS Instructor and founder of Voodoo Security. Join Dave for a closer look at the year in security, and learn what you can do to prepare for 2015, with this upcoming webinar. 2014 has been one heck of an insane year for information security professionals. To start with, we’ve been forced…

Tags:
, ,
patch-tuesday

December 2014 Patch Tuesday

Posted December 9, 2014    BeyondTrust Research Team

This month marks the final Patch Tuesday of 2014. Most of what is being patched this month includes Internet Explorer, Exchange, Office, etc… and continues a trend of the greatest hits collection of commonly attacked Microsoft software. Probably the one thing that broke the mold this month is that for once there is not some…

Tags:
,