Microsoft Office and its vulnerabilities

The Microsoft Office threat landscape, and the technologies that help us catch related zero-day exploits, were the focus of this talk at the SAS 2019 conference.

Some talks at the SAS 2019 conference are dedicated not to sophisticated APT attacks, but to the daily grind of our antimalware researchers. Our experts Boris Larin, Vlad Stolyarov, and Alexander Liskin prepared research called “Catching multilayered zero-day attacks on MS Office.” The main focus of their research was the instruments that help them in malware analysis, but they also draw attention to the current Microsoft Office threat landscape.

The changes to the threat landscape in just two years are attention-grabbing. Our experts compared a distribution of attacked users by targeted platforms from the end of last year with one from just two years ago. They found that cybercriminals moved away from using Web-based vulnerabilities in favor of MS Office ones — but the extent of the change surprised even them: In the past few months, MS Office, with a more than 70% share of attacks, became the most targeted platform.

Starting last year, a bunch of zero-day exploits for MS Office began to pop up. These usually begin with targeted campaign but eventually go public and end up integrated into a malicious document builder. The turnaround time has shortened substantially, however. For example, in the case of CVE-2017-11882, the first equation editor vulnerability our expert saw, a huge spam campaign started the same day the proof of concept was published. That’s true of other vulnerabilities as well — once a technical report for a vulnerability goes public, an exploit for it appears on the dark market in a matter of days. Bugs themselves have become much less complex, and sometimes a detailed write-up is all a cybercriminal needs to build a working exploit.

A look at the most exploited vulnerabilities of 2018 confirms exactly that: Malware authors prefer simple, logical bugs. That is why the equation editor vulnerabilities CVE-2017-11882 and CVE-2018-0802 are now the most exploited bugs in MS Office. Simply put, they are reliable and work in every version of Word released in the past 17 years. And, most important, building an exploit for either one requires no advanced skills. That’s because the equation editor binary didn’t have any of the modern protections and mitigations you’d expect from an application in 2018.

An interesting side note: None of the top most exploited vulnerabilities are in MS Office itself. Rather, the vulnerabilities exist in related components.

Why does this kind of thing keep happening?

Well, MS Office’s attack surface is huge, with many complicated file formats to consider, as well as integration with Windows — and interoperability. And, most important from a security point of view, many decisions Microsoft made when it created Office simply look bad now, but changing them would devastate backward compatibility.

In 2018 alone, we found multiple zero-day vulnerabilities exploited in the wild. Among them is CVE-2018-8174 (the Windows VBScript Engine Remote Code Execution Vulnerability). This vulnerability is especially interesting, because the exploit was found in a Word document, but the vulnerability is actually in Internet Explorer. For more details, see this Securelist post.

How we find vulnerabilities

Kaspersky security products for endpoints have very advanced heuristic capabilities for the detection of threats delivered through MS Office documents. It is one of the first layers of detection. The heuristic engine is aware of all file formats and obfuscations for documents, and it serves as the first line of defense. But when we find a malicious object, we do not stop after simply determining that it is dangerous. The object is then passed through additional layers of security. One technology that is particularly successful, for example, is the sandbox.

In the field of information security, sandboxes are used to isolate an insecure environment from a secure one or vice versa, to protect against the exploitation of vulnerabilities, and to analyze malicious code. Our sandbox is a system for malware detection that runs a suspicious object in a virtual machine with a full-featured OS and detects the object’s malicious activity by analyzing its behavior. It was developed some years ago for use in our infrastructure, and then it became part of the Kaspersky Anti-Targeted Attack Platform.

Microsoft Office is a hot target for attackers and will remain so. Attackers aim for the easiest targets, and legacy features will be abused. So to protect your company, we advise using solutions whose effectiveness is proved by their long list of detected CVEs.