BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Microsoft Word Zeroday – Set to expire?

Posted March 25, 2014    BeyondTrust Research Team

Researchers at Google have notified Microsoft of a new Word zeroday vulnerability. This attack is currently being leveraged in the wild to target systems running Microsoft Word 2010. The attack can be successful simply by a user opening a maliciously crafted RTF file within Microsoft Word.

The full extent of the breaches caused by this zeroday vulnerability is unknown, but Microsoft has provided some information about the exploit payload and subsequent malware itself. The exploit is sophisticated enough to be able to bypass some built-in operating system security protections, such as ASLR. But even more interesting is the fact that the logic of the exploit will look to see if a system has had any new Microsoft patches installed after April 8, 2014 and if so, it will not install its secondary malware payload. April 8th, 2014 is of course next month’s Patch Tuesday.

If the exploit is successful, it will copy a piece of malware to the affected users %temp% folder and then also enable the malware to start on the next system reboot by adding a registry entry to the current users RunOnce registry key. Neither of these two locations require Administrative rights to prevent the malware from successfully embedding in a system. However, least-privilege environments, such as those leveraging PowerBroker, can still help limit the future efforts of attackers in this case.

For example, if your employees are running with local Administrator privileges, as soon as an attacker successfully leverages this Word vulnerability, they could execute privileged commands, such as dumping all user account password hashes present on a system. An attacker could then leverage these account credentials to move laterally through your environment. On the flip side, however, if you are properly implementing a least-privilege environment where users are running as standard user accounts, then performing privileged functions, such as password dumps, would be prevented and only possible if the attackers employed a secondary privilege escalation exploit. In this particular attack, we have not witnessed the attackers using any secondary privilege escalation exploits to gain more privileges.

We have added an entry into our ZeroDay Tracker for this vulnerability, so check back as we will be updating it with any new information:
http://www.eeye.com/resources/security-center/research/zero-day-tracker/2014/20140324

Also, for customers leveraging PowerBroker for Windows in their environments, you can secondarily create a specific rule to block the malicious file hashes that are known so far:
MD5: af63f1dc3bb37e54209139bd7a3680b1
SHA1: 77ec5d22e64c17473290fb05ec5125b7a7e02828

For customers leveraging Retina for Vulnerability Management, you can use the following Retina Audits to detect vulnerable versions of Word:
33352 – Microsoft Office Remote Code Execution (2953095) (Zero-Day) – Windows
33353 – Microsoft Office Remote Code Execution (2953095) (Zero-Day) – Mac OS X

Check back to our blog for any updates as we learn any new information.

Further reading:
Microsoft Advisory – http://technet.microsoft.com/en-us/security/advisory/2953095
Microsoft Technical Blog – http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx
CVE Entry – http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1761

Tags:
, ,

Leave a Reply

Additional articles

PBPS-screenshot-blog aug2014

Failing the Security Basics: Backoff Point-of-Sale Malware

Posted August 22, 2014    Marc Maiffret

At the beginning of this month, US-CERT issued a security alert relating to a string of breaches that had been targeting Point of Sale (POS) systems. The alert details that attackers were leveraging brute forcing tools to target common remote desktop applications such as Microsoft’s Remote Desktop, Apple Remote Desktop, Splashtop and LogMeIn among others….

Tags:
, , , , , ,

Troubleshooting Windows Privilege Management Rules with Policy Monitor

Posted August 21, 2014    Jason Silva

When defining and testing PowerBroker for Windows rules for production or pilots, customers sometimes tell us, “I don’t think this policy / program is working.” This is usually a case of the policy not properly triggering because of the way the rule was created. A unique feature of PowerBroker for Windows compared to other solutions is a client-side…

Tags:
, , ,
darren-mar-elia

BeyondTrust Webcast: Darren Mar-Elia’s 4 Active Directory Change Scenarios to Track

Posted August 20, 2014    Chris Burd

In our latest webcast, we joined Darren Mar-Elia, CTO at SDM Software, to discuss best practices for Active Directory (AD) change management. Here are some key takeaways from the presentation, followed by a link to a full-length video of the presentation. Mar-Elia kicks things off with a critical insight: that the best AD change management…

Tags:
, , , , , , ,