24
Mar 14

Microsoft: 0Day Exploit Targeting Word, Outlook

Microsoft warned today that attackers are exploiting a previously unknown security hole in Microsoft Word that can be used to foist malicious code if users open a specially crafted text file, or merely preview the message in Microsoft Outlook.

In a notice published today, Microsoft advised:

“Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted [rich text format] RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.”

To be clear, Microsoft said the exploits it has seen so far attacking this vulnerability have targeted Word 2010 users, but according to Microsoft’s advisory the flaw is also present in Word 2003, 2007, 2013, Word Viewer and Office for Mac 2011.

Microsoft says it’s working on an official fix for the flaw, but that in the meantime affected users can apply a special Fix-It solution that disables the opening of RTF content in Microsoft Word. Microsoft notes that the vulnerability could be exploited via Outlook only when using Microsoft Word as the email viewer, but by default Word is the email reader in Microsoft Outlook 2007, Outlook 2010 and Outlook 2013.

One way to harden your email client is to render emails in plain text. For more information on how to do that with Microsoft Outlook 2003, 2007, 2010 and 2013, see these two articles.

Tags: , , ,

89 comments

  1. Krebs: “One way to harden your email client is to render emails in plain text. ”

    Another way is to use a different email client…

    • Gee thanks for the comment, Captain Obvious. Why not just suggest another operating system?

      Allowing dynamic HTML and scripting in email clients is a bad idea, period, regardless of which email client you’re using.

      • Is it just me, or has Brian been a little grumpy lately?

        • Brian gets annoyed at inane comments that add nothing to the discussion, but doesn’t really have time to moderate every one.

          • That’s it, I am never using the Internet again.

          • Chris Sherlock

            How is that any more obvious than saying to mitigate the problem use plain text?!?

            • Agreed. When there was a similar issue with .TIFF images, the default program to view them was the issue not the file format itself.

              The recommendation then was to use a different default image viewer, not to stop using tiffs completely.

              For this case I see similar options.

              1. Don’t use rtf files ever.
              2. Use something besides Word as the default for .rtf files
              3. Set Outlook to only display plaintext
              4. Use an email client that by default only uses plaintext
              5. Use an email client that does not use Word for rendering rtf files

              While I think Brian is correct in that plain-text is the safest solution, the problem resides in Word and Outlooks use of Word, so I don’t think discounting the suggestion of another email client is fair.

            • One is a way to keep using the product you have with reduce functionality, (render in plain text). The other is a suggestion that you use a different product, which as you are moving from Outlook means stepping at least a decade back in functionality.

          • Brian,

            I concede that my comment did not add value to the discussion and as a daily viewer of your blog and a huge fan, I apologize.

            Further down in the comments, I have made another post contesting your reaction to the above suggestion. I hope it will lead to some productive discussion on security issues and best practices.

          • See, this anger is why Mr. T is perfect to play Mr. Krebbs in his new movie “Life of Brian 2” a.k.a. “The Krebbsenator.”

      • David Crosswell

        Brian,

        I’d like to respectfully suggest another operating system, and to also relay my condolences in regard to one of the CISSP community recently referring to you as a mere ‘security blogger’.

        It offended me as I pictured you sitting there all grumpy in your pyjamas.

        Murray! Don’t you bad-mouth TeX to me. You can actually use it for email, with the right editor specified, in the right client: word to the wise.

        • With success and notoriety come heel-biters, the jealous, and the expected a-holes, including those with CISSP and other acronyms pasted behind their names.

          Brian has done more for cyber-security than many CISSP’s have, who’s personal gain is selling high priced advice to private enterprise for personal profit. Nothing wrong with that but they shouldn’t feel that their own radiance has been diminished by another man’s success.

      • It’s fine to have anything one wants in an email, provided you are authenticating the sender properly. The culture of just pushing the email is the problem.

        For example, I ask you to send me a particular binary executable, and you send it along as an attachment. It’s pops into the inbox, and it’s reasonably certain that it’s from you, and it’s the file you intended to send.

        Whether any executable file is ever really safe is another matter (I thin kit was Thompson (of Bell Labs) suggesting that one should never trust any code one doesn’t write themselves).

        My point is that folks forget to authenticating the sender, and it’s not that hard to do! In the above example, there is a time, email and content check. You send the wrong attachment, or at the wrong time, or from another email address, and deal is off (doesn’t authenticate) , it’s in the bit bucket. Instead you get a “I didn’t read your email, as it wasn’t what we agreed on” sort of reply.

        Folks are just extending trust based on relationships. “OH, it’s from mom.. i have to open it!” sort of thing. I had folks with advanced degrees come to me years ago and confess “I opened the I LOVE YOU virus because it came from the blond in accounting”.. it’s the same problem Brian. The culture of pushing email without authenticating needs to change as there will always be technical exploits.

        anyway.. I think I’m as frustrated as you are. 🙂

        hang in there.
        -Lee

        • Imagining that you can trust a sender to be authentic, they could still have a virus.

          They could also have malware that functions as a RAT.

          This isn’t about paranoia, but you shouldn’t trust anything electronic from anyone.

          Everyone receives email that appears to be from friends, but is actually from hackers impersonating their friends…

          • I agree with you.

            I just am amazed that folks don’t bother to authenticate their inbox in any way (the originating email address token is one way to do it, and the mechanism already exists – the subject line).

            If that were done as a matter of course, much of the phishing would go away, and it would make spear phishing harder as well.

            If it were the culture to use tokens to filter, then the chain necessary to spear phish would be extremely difficult (via email anyway).

            You’re right though, it doesn’t stop the flaws from being exploited, but it does reduce the size of the exposed edges.

        • That isn’t the only virus they got from the blonde in accounting :\

      • Brian’s got a point that deserves digression: Some can say “Use another ‘X'” all they want, but there are those in environments where mail clients are dictated to them, and they don’t have a choice. So suggesting a different mail client to those groups of users and their support staff does zero good, and also diverts attention from the need to take mitigation steps in the interim before a security update is released.

        Not everyone is given the flexibility to change. And while such a suggestion may not initially seem mean spirited by those forwarding it, it can come off as such to those – like me in some phases of my career – who must support such users in such restricted environments where choice is nonexistent. Those people need to worry about what they can control, and telling them to change is fruitless.

    • Fortunately, I think the current exploits rely on ActiveX controls which are disabled when reading Outlook RTF messages. In fact, I have seen no real world Word exploits using Outlook RTF messages, probably because spear phishing is effective enough.

      • Other exploits may, but the specific one Brian is discussing here does not appear to. From Technet:

        “The vulnerability is a remote code execution vulnerability. The issue is caused when Microsoft Word parses specially crafted RTF-formatted data causing system memory to become corrupted in such a way that an attacker could execute arbitrary code. The vulnerability could be exploited through Microsoft Outlook only when using Microsoft Word as the email viewer.”

  2. And for years I’ve been thinking that RTF was safer, mostly because it could not carry macro attacks.

    • Greg from Indy

      Same here, I had no idea (until today). I switched to plain text years ago. Courier New 10pt. Compatible with darn near anything. No fancy background and company logo that adds 80k to the message.

      I’ve tried to use ThunderBird in certain departments, but in the end, everyone is on Outlook.

      I’ll be switching the default editor. Thanks for the heads up.

        • Why would I want to read emails in a monospace font? Code, yes, but not text..

          • But that’s the crux of the problem. I frequently send out emails with code fragments, and I will change the font of the code fragment to a monospace font to help set it apart from the body of the message.

            To me, such things are far more readable, but it is something that is only possible when using some form of rich text. And if everyone renders the email in plain text then it becomes pointless to take the trouble to do the formatting of the email in the first place.

        • Greg from Indy

          Yep, I love a nice console font for coding. I believe I’m using Lucinda Console in Visual Studio. Simple font for those I communicate with. Especially our customers.

          I agree with Lee Church. Authentication at the user level. We had two users get hit with Cryptolocker. All data was lost (we don’t negotiate with criminals/slime). No software can replace common sense. 😉

    • RTF vulnerabilities are less common than doc ones but they do sometimes crop up.

    • You’re not the only one.

      This vulnerability teaches me not to make presumptions like that. But I definitely had that same thought up till this point.

  3. Captain Obvious

    You could also stop using a computer completely, and write all your your communications with a quill and ink.

  4. And old(er) school e-mail client that I like to use for Windows is called Pegasus: http://www.pmail.com/

    As far as I know the above exploit won’t work, and using a nonstandard/semi-esoteric e-mail will often let you dodge many such bullets (I also like Pegasus better than Thunderbird 🙂

  5. TheOreganoRouter.onion.it

    I see something like this being used in bank phishing or spear phishing scams . Once the remote code execution occurs then this opens the door for a trojan dropper via another vulnerability , or some type of remote key-logger in a phishing kit.

    Sort of a phishing scam urging the reader to open up the document so that they can read a bank statement for the purpose of IRS filing. Once someone opens the document, then the attacker has remote access to further exploit the machine to gain access to bank accounts

    • I imagine trying to use Libre Office or Open Office will do you no good if you have the versions of Office cited in the article installed on you system as well. Just messing with it at all may trigger it? Just wondering!

    • Had the bank used a token of the users choice in the subject to authenticate their email it would have reduced the chance of this type of attack.

      Had the bank not sent real emails with attachments, pictures, and links it also would have reduced the profile for these attacks.

      But hey, apparently it’s too hard for the banks to put a string in a subject, and allow the user to filer out any email from that address that doesn’t have that string. And it’s too hard to ask the user to cut and paste a URL.

      What all this shows me is that banks, merchants and credit card companies are so focused on authenticating the user, they forget to authenticate themselves. If they do user authentication perfectly,they get a 50% grade, as they miss the other half of the equation.

      It’s also shows that they simply don’t care about exposing folks to these sorts of scams. They put attachments, links, pictures etc. in these emails and then expect the user to tell it’s really from them by what exactly??? oh.. a minus -zero day scanner.. (the scanner that picks up tomorrow’s exploits).

      They are just not serious about security. Their thinking that they can be secure when the other party isn’t secure is just sad.

      argh (again).

      • The large bank that I have my retail account at puts several text strings in their emails that only I could know but are not sufficient to hack my account.

        • That sounds like a step forward.

          As long as YOU control what those strings are, and can change them, then that’s a start. I prefer the subject line, as it can be viewed/processed without /viewing/touching the body of the message.

          That said, a static token, or the same token for several users, or a token that is used by all their ‘partners’ ( that isn’t linked to the specific sending email address) is not that effective.

          Perhaps after many years of email, we might finally be able to tell from whom an email came. That would be progress I suppose.

  6. I say this over and over again. If you don’t need to run Windows software then uninstall it. Windows is the most virus, malware and ransomware ridden OS in the world.

    • The only reason there is so much malware for Windows is because the vast majority of people are running it. If you could wave a magic wand and switch everyone to MacOS, Linux, Android or anything else, I can guarantee that the people who write the malware would adapt and begin to produce malware for that platform.

      The problem is really more one of mindset. People have become accustomed to having lots of cool features, and the average person would regard giving up many of these features as being barbaric. But whenever they add these features, the security implications aren’t always thought through.

    • Not a solution.People are still buying windows platforms because it is the easiest to learn and use.This is coming from someone who uses all three type, apple, microsoft and linux.

      People have other lives and employment and should not be forced to become programmers or hackers just to use an OS.Nevermind that the interest is just not there.

      • I think the suggestion about uninstalling stuff that isn’t used has a great deal of merit for security. And one doesn’t have to be running embedded XP on a reduced capacity platform for uninstalling unneeded applications and services to make sense.

        Here are just a few benefits (rattled off, no particular order):

        – frees up disk space
        – can make windows load/shutdown faster
        – can make windows run faster (particularly if they have components that are in memory, or services running/loaded)
        – can make security scans run faster
        – reduces the number of edges present on a system to exploit

        I don’t particularly agree with going from the frying pan to the fire in wholesale OS changes in what could be described as ‘general panic’, but closing a few of the barn’s doors, making the scale of the problem smaller should always be considered (Einstein suggested “As simple as possible, but no more”, and Thoreau “Simplify, Simplfy”).

        For folks that don’t have a lot of choices: review of what can be turned off makes sense (not just for this particular exploit).

        For companies collecting data, same thing: Review what data they don’t need, and stop collecting and storing it.

  7. Murray Sargent

    If you like to interchange mathematical text, you can do so in the Outlook RTF and HTML modes. The plain-text mode isn’t nearly as nice. You need to type something like TeX, which doesn’t look like the math it represents. Also it’s nice to include highlighting and friendly-name URLs. Again plain text is deficient.

  8. Does this affect MS Word used on an iMac…? (Mac 10.7.2 – Word Mac 2011)

  9. I ‘d like to see Microsoft tell us if their EMET software blocks this exploit, and any other 0-day when they come out. They advertise EMET as their 0-day prevention tool, after all.

    • Check that…the FAQ says that EMET does mitigate this vulnerability. Glad to see that.

      • The Microsoft advisory suggests that EMET is “helpful”, but I don’t find it clear whether they’re telling us that EMET effectively blocks this specific vulnerability, or if EMET makes the exploit harder but still possible.

        Brian, can you use your contacts to get Microsoft to clarify that point, please?

  10. An additional, yet inexplicably not used technique is to require anyone sending you email to register their email address with you, and you assign them a token to be placed in the subject line.

    Then set a rule such that emails from email X without token Y are automatically routed to the ol’ bit bucket in the sky.

    But, hey, companies don’t want to actually have you filter like that.. all those third party sales of your email address become less useful, and at a minimum it identifies who sold or leaked your email address.

    And fake emails that DO have your token indicates one of the two parties is hacked.

    On another note, the culture of extending ‘trust’ based on friendship is going to have to change. To be clear, party A sends an attachment to party B.. party B bit-bucket’s the thing because they didn’t request it, and party A says “glad you did that”? nope.. they say.. “hey, why didn’t you read it?”.. and there is your problem. The folks sending jokes, and unsolicited emails who are upset that their emails are deleted put pressure on others, which makes that sort of thing work.

    Anyway, nothing I haven’t said before (and had deleted.. LOL.. it’s not a popular concept, I get that part!).

  11. Brian: Any thoughts on this being specifically targeted at Google? Not only was it reported by Google’s team, but there’s no matching sig. in VirusTotal, and it sounds like the exploit itself was very advanced (per their TechNet post).

    Reminds me a little of the embedded .SWF in an XLS spear-fish attack on Google a few years back.

  12. Hi,

    It is my understanding that the little “preview” window in Outlook is not Word and only when a mail is double-clicked does Word kick in so scrolling through emails will not infect the PC but viewing the mail in a new window would.

    – Allen

  13. Rabid Howler Monkey

    More on the Microsoft security advisory here:

    http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx

    In addition to EMET and configuring Word not to open RTF files (via the Fix it tool), one can “enforce Word to open RTF files always in Protected View in Trust Center settings” … “If blocking RTF files is not an option, enterprise could enforce “Open selected file types in Protected View” instead of “Do not open selected file types” in Trust Center settings. “The “Protected View” mode in Office 2010/2013 does not allow ActiveX controls to load. This will mitigate the attack we observed. Once the workaround is enabled, Word will prompt the Protected View gold bar, but will still allow the preview of the document.”

    Note that Protected View is available with Office 2010 and 2013 on Windows Vista, 7 and 8.

  14. “…or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer” – Is office the default viewer for emails in outlook?

  15. Using Pocketknife Peek is still a good way for Outlook users to safely check the contents of email I think.

  16. Thanks for making this article.

    Their fixit doesn’t seem to work on Windows 8.1 x64 + Office x64.

    I wonder if I am not vulnerable or if they just have a bad fixit.

  17. The best way to imitagate attacks is to stop using the PC all together – that way you dont get nothing….

  18. Great post! Been reading a lot about different aspects of this type of security. Thanks for the info!

  19. Back in the 1990s, we had a Macintosh writing lab at my school get infected with an MS Word macro virus. It was weird, because we had specifically disabled all macros. This virus infected the normal.dot file, so you could simply throw that file away and Word would create a new uninfected file, but we had a lot of users with infected floppy disks that kept trying to spread the virus (we did then lock the normal.dot files to prevent changes to them). We also required all users to scan any floppies at a special scanning station before they could use their disks in our lab. If a floppy of theirs was infected, we also gave them instructions how to fix their home computer.

    Anyway, when I opened an infected normal.dot file in a plain text editor, I was stunned to see that the first thing the virus did was turn Office macros back on! Microsoft gave you a false sense of security by letting you disable macros only to allow viruses to re-enable macros!

    • Well isn’t that what makes it malicious software? By default any software out there can do things that the user has permissions to do – so there really isn’t a way to make it so ‘you’ can disable macros without allowing ‘you’ to turn them back on. Good coding would make it so admins can permanently turn those off but then you get users complaining – so they don’t do that.

  20. Very frustrating that Microsoft doesn’t explicitly offer mitigations for the Outlook aspect of this security hole. The PLAIN TEXT option seems like a sledgehammer approach.

    According to this MVP, you cannot disable Word as the editor in Outlook 2010: http://answers.microsoft.com/en-us/office/forum/office_2010-outlook/can-i-turn-off-word-as-the-email-editor-in-outlook/d25fb752-4ff4-4aa0-9d6f-b07c3efc09d2

  21. Unfortunately, large corporate environments (>10,000 machines) don’t have the choice of switching the OS, setting e-mail to read plain-text only or any number of options that security minded individuals have. Thankfully though, there is a fix-it available for Windows machines that can be mass applied.

    The Microsoft article says that Mac Office 2011 is also affected. Has anyone seen any information about how to mitigate this on Macintosh or is setting it to plain-text the only option there?

    • The FixIt does nothing for Outlook. It merely turns on the RTF block feature in Word’s Trust Center settings. BTW, you can do this in group policy (Microsoft Word 2010 / Word Options / Security / Trust Center / File Block Settings / RTF Files). The FixIt is intended for home users.

      • Most Fix It items can be taken apart and them re-packaged for Corporate installation (for instance with Secunia CSI). This one doesn’t work that way, and is a per-user setting, based on whomever is logged in at the time of install. Very disappointing.

  22. Per the srd blog (1) “There is a theoretical Outlook attack vector for RTF vulnerabilities through the preview pane. The reduced functionality of the preview pane makes this attack vector extremely hard to carry, and to date we have never seen exploits leveraging this mechanism.”

    So how real is this preview pane risk?

    I’d install EMET 4.1 if one hasn’t already.
    And Brian is allowed to be grumpy. Unless he’s been given the right to choose who’s going to play him on the silver screen, he’s allowed to be grumpy.

    (1)http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx

    • I never liked the preview pane, as it takes away from the choice to process the body of the message until too late. Sure certain configuration options and such can make that processing happen prior to it getting to the ‘preview’ panel, but in general, I think “preview” is a bad idea for several reasons:

      – security: it has to touch/process message body
      – mistake prone: may encourage folks to not read full email (or misread it.. has this NOT happened to anyone you know?)
      – socially exploitable: folks end up basically authenticating the email based on skimming the first part of the content (a really bad idea). If it looks OK they dive in (This behavior makes social engineering easier because the faulty thought pattern carries forward).

      That said, I do understand some folks make good use of preview.

      Anyway, I agree with your ENTIRE post, including the last part. 🙂

  23. lol brian do anything to write new article to make u click click for advertising $$$$ !!!! if i want read about exploit i read from people who know much more than brian !!! pretty soon he start telling knock knock jokes on his blog for clicks

  24. I think one lesson from this is, there will always be another document format to exploit. 15 years ago we had the exact same conversation about .doc and .xls, even to the point of email preview exploits. Anything that renders active code from untrusted sources outside of a sandbox without the user doing anything is a risk.

  25. It seems apparent that any application which interacts with an untrusted network, and untrusted data, should itself be untrusted. In other words, with the advent of so many 0-day vulnerabilities, you’d think the next logical step would be to conclude the applications themselves should be untrusted.

    Said applications (browsers, document viewers, email clients, etc.) should be proactively isolated from the primary OS and private network. Vendors such as Invincea and Spikes (air gapped browser) are headed in the right direction.

  26. Howdy would you mind letting me know which web host you’re
    utilizing? I’ve loaded your blog in 3 different web browsers and
    I must say this blog loads a lot faster then most.
    Can you recommend a good hosting provider at a honest price?

    Kudos, I appreciate it!

  27. Looks like they updated the FixIT to work with 64bit Office on 64-bit OS. New time stamp shows Wednesday, March 26 12:02AM

  28. While it’s not hard to argue with the idea of running in reduced functionality mode (displaying only plain-text), it’s not always a “free” solution.

    Since the defaults with Outlook display rich content, there’s an expectation of rich content which will end up having secondary effects on the amount of work people have to do to get at rich content, such as saving attachments. For example, if I get a huge volume of email with rich text content that would ordinarily display inline and I switch to text only, I now have a lot more work to do in terms of making sense of those emails.

    It may not sound like a big deal to some people, but I think part of the reason security is such a train wreck is that security people discount the value of something like inline rich text and just assume the answer is to get rid of it, where the people who value it resist because turning it off turns a hectic workload into an unmanageable one.

  29. Time to take the free, safe, secure & feature-packed LibreOffice for a spin. Its truly multi-platform & takes just a few minutes to install.

    Try it you have so much to gain: http://www.libreoffice.org/download

  30. I’ve used linux mint for awhile and have gone back to windows because it’s easier to deal with.