EXECUTIVE SUMMARY:
On March 24th, Microsoft posted a security advisory (2953095) for a newly discovered, unpatched vulnerability affecting Microsoft Word. Microsoft has noticed limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. CVE-2014-1761 has been assigned for this vulnerability.
Please be aware that Word is the default viewer for Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013, and that even looking at the e-mail in the preview pane could lead to an infection through this attack.
THREAT DETAILS:
This vulnerability allows the attacker to gain the same privileges on a target machine as the victim, ultimately allowing remote code execution. The threat drops a backdoor to allow the attacker access to the victim machine.
At this time, it appears the attack is targeted, and the impact is low. We do not have any further information on the countries/regions that are impacted at this time.
According to Microsoft, this exploit fails (resulting in a crash) on machines running Word 2013.
Microsoft also mentions that the malicious document in the wild is designed to trigger a memory corruption vulnerability in the RTF parsing code. The attacker embedded a secondary component in order to bypass ASLR, and leveraged return-oriented-programming techniques using native RTF encoding schemes to craft ROP gadgets.
Please be aware that Word is the default viewer for Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013, and that even looking at the e-mail in the preview pane could lead to an infection through this attack.
IMPACT:
- An attacker who successfully exploited this vulnerability could gain the same rights as the currently logged on user.
- Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative privileges.
AFFECTED SOFTWARE:
- Microsoft Word 2003 Service Pack 3
- Microsoft Word 2007 Service Pack 3
- Microsoft Word 2010 Service Pack 1 (32-bit editions)
- Microsoft Word 2010 Service Pack 2 (32-bit editions)
- Microsoft Word 2010 Service Pack 1 (64-bit editions)
- Microsoft Word 2010 Service Pack 2 (64-bit editions)
- Microsoft Word 2013 (32-bit editions)
- Microsoft Word 2013 (64-bit editions)
- Microsoft Word 2013 RT
- Microsoft Word Viewer
- Microsoft Office Compatibility Pack Service Pack 3
- Microsoft Office for Mac 2011
- Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 1
- Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 2
- Word Automation Services on Microsoft SharePoint Server 2013
- Microsoft Office Web Apps 2010 Service Pack 1
- Microsoft Office Web Apps 2010 Service Pack 2
- Microsoft Office Web Apps Server 2013
MICROSOFT WORKAROUNDS:
- Deploy the Enhanced Mitigation Experience Toolkit.
- Microsoft has provided a temporary "Fix It" solution as a workaround until a security update is made available: https://support.microsoft.com/kb/2953095
- Please see the Microsoft Security Advisory for more information: http://technet.microsoft.com/en-us/security/advisory/2953095
MITIGATION STRATEGIES:
- Apply the workaround until patches are made available by the vendor.
- Apply the updates from Microsoft as soon as they become available.
- Symantec recommends customers use a layered approach to securing their environment, utilizing the latest Symantec technologies, including enterprise-wide security monitoring from Edge to Endpoint.
- Do not use out of date software, keep your operating system and software up to date with the latest versions and security patches.
- Run all software as a non-privileged user with minimal access rights.
- To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.
- Deploy network intrusion detection systems to monitor network traffic for malicious activity.
- Do not follow links or open email attachments provided by unknown or untrusted sources.
- Memory-protection schemes (such as non-executable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.
- Symantec encourages users to apply all relevant patches when they are available.
SYMANTEC MSS SOC DETECTION CAPABILITIES:
MSS SOC Analytics Detection
- Hot IP Signatures
- Hot IP - MS word (CVE-2014-1761) zero day C&C traffic
Vendor Detection
- Symantec SEP/AV
- Bloodhound.Exploit.550
- Snort/SourceFire
REFERENCES:
- Zero-Day Vulnerability Discovered in Microsoft Word
- Microsoft Security Advisory (2953095)
- NIST Vulnerability Summary for CVE-2014-1761
- Security Advisory 2953095: Recommendation to stay protected and for detections