Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Booby-trapped Word documents in the wild exploit critical Microsoft 0day

    Home Forums AskWoody blog Booby-trapped Word documents in the wild exploit critical Microsoft 0day

    This topic contains 50 replies, has 13 voices, and was last updated by  MrBrian 3 weeks, 1 day ago.

    • Author
      Posts
    • #107328 Reply

      woody
      Da Boss

      The exploit appears in a Word doc attached to an email message. When you open the doc, it has an embedded link that retrieves an executable HTML file
      [See the full post at: Booby-trapped Word documents in the wild exploit critical Microsoft 0day]

      2 users thanked author for this post.
    • #107336 Reply

      satrow
      AskWoody MVP

      Hmm, Script Defender might provide protection from this as it intercepts several scripting calls, including .hta. I don’t know whether it will install/work on W8 > 10 though.

      http://www.analogx.com/contents/download/System/sdefend/Freeware.htm

      1 user thanked author for this post.
    • #107341 Reply

      lurks about
      AskWoody Lounger

      Does this exploit require VB/VBA to fire? From what I read it does not appear to affect Macs so I assume it requires some Windows dlls to run.

    • #107349 Reply

      JNP
      AskWoody Lounger

      The FireEye post contains this sentence: “The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file.”  Does this mean that if one opens a Word file not in MS Word, programs such as WordPerfect or Open Office, the malicious code will not execute?

      • #107351 Reply

        satrow
        AskWoody MVP

        I think the .hta file would directly trigger IE to run it as ‘just’ another executable, thus my earlier reply suggesting Script Defender to intercept this and other rare scripting calls. I’m unsure whether a more basic MS, or a non-MS .doc handling would also allow an hta component to be passed on to IE.

        If the .doc software was disallowed from accessing the Internet, that might also be a workaround.

        • #107352 Reply

          JNP
          AskWoody Lounger

          Thanks for the reply, I’ve installed Scripts Defender, everybody if you do this, read the install notes because there is a certain thing one has to do to properly remove SD.  Here’s my question: Do I have to put SD in the Windows Startup folder and keep it running for full protection?  I imagine I could also just launch it when I receive a Word Document as well.  Again, thanks.

          1 user thanked author for this post.
          • #107357 Reply

            satrow
            AskWoody MVP

            Once installed it adds the redirects and can be closed, it doesn’t need to be run at every boot, it becomes passive.

            Use the test.vbs (or create a dummy .hta) and check it’s working.

            • #107360 Reply

              JNP
              AskWoody Lounger

              Yes, thanks so much. A test.vbs file does launch Script Defender (SD), but, as you are assuming a fact not in evidence, I am not a dummy :), if SD indicates there is a script, one either bugs out of the Word file or one aborts running the VBS when prompted by SD, right? Once again, thanks.

            • #107364 Reply

              satrow
              AskWoody MVP

              If a file type set to be intercepted by SD is launched, SD will leap into action, as you have witnessed. If the interception is unexpected, it should be aborted, at least until you’ve had time to figure out how/what launched the script.

              There are very few softwares/installers that use the default intercepted script types (I only have one, rarely updated) but your software usage is probably very different to mine.

              What can be a nuisance is where WinPatrol is also installed, on installation of SD it will intercept the change in default handler for (most? of) those file types, so just allow the changes.

              Obviously, if you do use a lot of those script types, say *.vbs, SD can also become something of a nuisance but I feel those few extra seconds clicking away the SD popup are worth the extra feedback and potential data/monetary security.

              • This reply was modified 6 months, 1 week ago by  satrow. Reason: carp speling
            • #107368 Reply

              JNP
              AskWoody Lounger

              Many thanks, once again. Funny you should mention WinPatrol, I do use it, but allowed SD to make the changes, so SD did what it should do when I ran a test.vbs file.

              Also for everybody, there does not appear to be a Protected View option for versions of Word before Word 2010: https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653 .

              1 user thanked author for this post.
        • #107416 Reply

          anonymous

          Deleting the .hta file association for IE might work also, but it is nice to know that the AnalogX software still is effective.

        • #109115 Reply

          anonymous

          The HTA host program is labeled as being a part of IE 11 in the program version information. I thought that turning off IE 11 would delete all of the files with a such a warning that it might break the system (and a help link that provides no explanation to boot). 🙁

    • #107350 Reply

      Noel Carboni
      AskWoody MVP

      winword.exe issues a HTTP request to a remote server …

      I’d be interested in knowing specifically what web site it contacts; I probably already have it blacklisted, but if not it would certainly be a good site to add to the lists. Unfortunately, in all the “for public” releases that information has been redacted.

      All these “news” releases appear to seek to sell users security software rather than to inform the public of threat specifics so they can protect against it directly.

      Also, several sites mention using “Protected View”, but I didn’t note any specific instructions for ensuring Office “Trust Center” settings are proper (e.g., File – Options, choose Trust Center, etc.)

      -Noel

      3 users thanked author for this post.
      • #107362 Reply

        anonymous

        The main artical has a link to “What is Protected View”, perhaps it was added after your comment.

        I want to change my Protected View settings

        We advise speaking with your administrator before you make changes to your Protected View settings.

        Click File > Options.

        Click Trust Center > Trust Center Settings > Protected View.

        Make selections that you want.

        1 user thanked author for this post.
      • #107363 Reply

        anonymous

        I’d be interested in knowing specifically what web site it contacts

        Yeah, what’s up with that? Go to the McAfee link and email them Noel and sent them your Post as a resume, and pursuade them to give up the IP. YOU CAN DO IT~~

        Topic: A Description of My Quite Effective Security Environment (Long) @ AskWoody

    • #107404 Reply

      JohnW
      AskWoody Lounger

      This is what I see in the LibreOffice security settings.

      LibreOffice-Security-Options

      Attachments:
      You must be logged in to view attached files.
    • #107412 Reply

      John in Mtl
      AskWoody Lounger

      Part of my security strategy involves denying all applications access to the LAN and the WAN –  a local software firewall (part of a 2-nd layer of protection) displays an ask/deny  dialog for anything trying to execute in or out communication .  I would venture that I’m protected from this threat because the firewall would block Word from fetching the malicious URL; yes, no?

      However, if Word used any comm routines involving “svchost” before opening its GUI, then obviously I’m screwed because I allow svchost full access at all times.  But I’ve never seen any MS Office app behave this way, ever!  I only use Office 2003 & 2007, never will use 360 or any other cloud based office version.

      • #107414 Reply

        anonymous

        Look at this again John,

        The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file. Because .hta is executable, the attacker gains full code execution on the victim’s machine. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft. The following is a part of the communications we captured:

        McaFee's screenshot

        Yet at the bottom of the post they say that MS’s own Protected View (software based) will mitigate the payload by running/opening the file in a “restricted mode.”

        According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.

        Trust Center contains security & privacy settings

         

        I don’t have a version of Office that incorpoates Protected View. Yet I have looked into MalewareBytes Anti-Exploit’s Advance Settings as seen in this review and see simalary terminology. So I think (and have seen it block web traffic) I’ll rest better. Plus I’m not exactly Zero-Day target material anywho.

    • #107427 Reply

      JohnW
      AskWoody Lounger

      All these “news” releases appear to seek to sell users security software rather than to inform the public of threat specifics so they can protect against it directly.

      Yup.  Saw this comment in the FireEye article…

      “The vulnerability is bypassing most mitigations; however, as noted above, FireEye email and network products detect the malicious documents.”

       

      1 user thanked author for this post.
    • #107428 Reply

      JohnW
      AskWoody Lounger

      Look at this again John,

      I don’t have a version of Office that incorpoates Protected View. Yet I have looked into MalewareBytes Anti-Exploit’s Advance Settings as seen in this review and see simalary terminology. So I think (and have seen it block web traffic) I’ll rest better. Plus I’m not exactly Zero-Day target material anywho.

      FYI, MalwareBytes Anti-Exploit is now part of Malwarebytes 3.0 Premium.  It is available as a 14 day free trial, that reverts to a free version malware scanner without real-time protection.

      https://www.malwarebytes.com/antiexploit/

    • #107437 Reply

      woody
      Da Boss

      Probably not so obvious from my write-up: Zero-days as juicy as this one are often the work of nation-states, so people like you and me don’t need to get too worked up. (Unless you’re providing high security support to a military organization.)

      But as soon as the details are published, malware script manufacturers run around trying to replicate the infection scenario, all the better to sell the latest to script kiddies.

      That’s why “responsible disclosure” really matters.

      • This reply was modified 6 months, 1 week ago by  woody.
      2 users thanked author for this post.
    • #107438 Reply

      anonymous
      • #107441 Reply

        woody
        Da Boss

        So Vess (er, Dr. Bontchev) is right. Doesn’t surprise me. He’s always right. 🙂

    • #107520 Reply

      anonymous
    • #107521 Reply

      anonymous
    • #107530 Reply

      anonymous

      A tweet from the person who purportedly originally discovered this vulnerability:

      “the vulnerability I discovered is exploited through Office, but that does not necessarily mean it is isolated to Office”

      Given the description of the vulnerability, I agree.

      2 users thanked author for this post.
    • #107627 Reply

      MrBrian
      AskWoody MVP
    • #107678 Reply

      MrBrian
      AskWoody MVP

      CVE-2017-0199 | Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API

      Note: There are patches for Windows in addition to Office.

      • This reply was modified 6 months, 1 week ago by  MrBrian.
      • This reply was modified 6 months, 1 week ago by  MrBrian.
      • #107709 Reply

        anonymous

        Filtered
        CVE-2017-0199

        04/11/2017 4014793 Windows Vista Service Pack 2
        04/11/2017 4014793 Windows Server 2008 for 32-bit Systems Service Pack 2
        04/11/2017 4015549 Windows Server 2008 R2 for x64-based Systems Service Pack 1
        04/11/2017 4014793 Windows Server 2008 for x64-based Systems Service Pack 2
        04/11/2017 4014793 Windows Server 2008 for Itanium-Based Systems Service Pack 2
        04/11/2017 4015549 Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
        04/11/2017 4015551 Windows Server 2012
        04/11/2017 4014793 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
        04/11/2017 4014793 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
        04/11/2017 4015549 Windows 7 for x64-based Systems Service Pack 1
        04/11/2017 4015551 Windows Server 2012 (Server Core installation)
        04/11/2017 4015549 Windows 7 for 32-bit Systems Service Pack 1
        04/11/2017 4015549 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
        04/11/2017 4014793 Windows Vista x64 Edition Service Pack 2
        04/11/2017 3178710 Microsoft Office 2013 Service Pack 1 (64-bit editions)
        04/11/2017 3178710 Microsoft Office 2013 Service Pack 1 (32-bit editions)
        04/11/2017 3141529 Microsoft Office 2007 Service Pack 3
        04/11/2017 3178703 Microsoft Office 2016 (32-bit edition)
        04/11/2017 3141538 Microsoft Office 2010 Service Pack 2 (32-bit editions)
        04/11/2017 3141538 Microsoft Office 2010 Service Pack 2 (64-bit editions)
        04/11/2017 3178703 Microsoft Office 2016 (64-bit edition)

        1 user thanked author for this post.
    • #107711 Reply

      MrBrian
      AskWoody MVP
    • #107712 Reply

      MrBrian
      AskWoody MVP

      An important detail from CVE-2017-0199 | Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API:

      “The update addresses the vulnerability by correcting the way that Microsoft Office and WordPad parses specially crafted files, and by enabling API functionality in Windows that Microsoft Office and WordPad will leverage to resolve the identified issue.”

      It seems that both the Windows and an Office update are needed to make Office invulnerable to this vulnerability.

      • This reply was modified 6 months, 1 week ago by  MrBrian.
    • #108107 Reply

      anonymous

      MBAE 1.09 – Latest standalone BETA
      1.09.1.1384 4/12/2017

      https://forums.malwarebytes.com/topic/184939-mbae-109-latest-standalone-beta/?do=findComment&comment=1116935

      New Features:
      • Hardened and more secure API hooking framework
      • Added self-protection mechanisms
      • Added sandbox technique for Silverlight
      • Added Layer3 techniques against Macro exploits
      • Added Layer3 techniques against social engineering exploits
      • Added Java advanced configuration options for companies
      • Added dynamic configuration feature to manage conflicts
      • Added support for MS Play Ready
      • Changed balloon notification to off by default
      • Remove Run entry during uninstallation

      Fixes:
      • Fixed conflict with Symantec DLP
      • Fixed conflict with Chinese banking software
      • Fixed conflict with Sophos AV
      • Fixed Edge browser crashes on Windows Insider Preview builds
      • Fixed MS Office application crashes with MBAE
      • Fixed conflict with McAfee HIPS
      • Fixed false positives with Java Protection Technique
      • Fixed a logging issue for critical errors
      • Fixed service restart issues

      Direct Download

    • #108456 Reply

      Jonesy
      AskWoody Lounger

      Crikey.

      I don’t have Office X, just the Win7Pro 64 SP1 OS. I use OpenOffice 4.1.3 and Foxit PDF. When Dell and local Mr Fixit Computer Guy insist on turning on WU to Auto and installing the March patches without clearing it with me first, I feel like it’s you and me against the world.

      Based on all the checking I’ve been doing this week, I think, I could be wrong, but I think I’m ok, despite getting a .doc from tcm.com with a return USPS label for some bad Adam-12. It has been decades since anyone has done that to me.

      Just for that, they won’t get my MST3K The Joel Years order. The Mike Years will see me later.

      Many thanks to Woody and all his compatriots for ramrodding this patch drive. Extra brews are due ye.

      Still Learning

    • #108649 Reply

      MrBrian
      AskWoody MVP
    • #109056 Reply

      AlexN
      AskWoody Lounger

      Forgive me if this question seems dumb, but why in the name of all things holy would these companies even operate under a system as dumb as “make the bug known, and if no fix comes in 60 days we’ll post the exploit in public where hackers can use it.”

      Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
      A weatherman that can code

      • #109110 Reply

        b
        AskWoody Lounger

        McAfee screwed up:

        As to why the company published the blog post four days prior to Patch Tuesday, McAfee attributed it to a “glitch.”
        “We had a glitch in our communications with our partner Microsoft that impacted a coordinated response to these attacks, which is being corrected,” writes Vincent Weafer, vice president of McAfee Labs. “We have nothing more to say at this time.”

        http://www.bankinfosecurity.com/blogs/did-microsoft-drop-ball-on-word-zero-day-flaw-p-2448

        1 user thanked author for this post.
        • #109258 Reply

          AlexN
          AskWoody Lounger

          Your desperation to defend Windows (in particular, Windows10) led you to not even coming close to answering my question.

          Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
          A weatherman that can code

          • #111837 Reply

            b
            AskWoody Lounger

            Your desperation to defend Windows (in particular, Windows10) led you to not even coming close to answering my question.

            I answered your question completely and exactly, and it had nothing whatsoever to do with Windows 10.

    • #109071 Reply

      zero2dash
      AskWoody Lounger

      Was anyone able to test whether or not EMET protected against this?
      The Ars article mentioned not knowing whether EMET did protect against it, but I see no confirmation either way.
      I figure since many of us here are more stringent on ‘how’ we test, maybe someone’s covered that.
      Just curious – TIA. 🙂

      • #109093 Reply

        MrBrian
        AskWoody MVP

        When I tested, I didn’t test against EMET, but I highly doubt EMET would help in this case.

        • This reply was modified 6 months ago by  MrBrian.
    • #109114 Reply

      anonymous

      Has this been patched yet?

      1 user thanked author for this post.
      • #109122 Reply

        MrBrian
        AskWoody MVP

        Yes, in the April 2017 patches. You very likely (in my opinion) need both the relevant Office patch and the April 2017 Windows update to fix this issue for Office.

    • #109185 Reply

      MrBrian
      AskWoody MVP

      CVE-2017-0199 Demo (video)

      • This reply was modified 6 months ago by  MrBrian.
      • #111846 Reply

        anonymous

        Thanks for posting a demonstration video link.

        1 user thanked author for this post.
    • #110410 Reply

      MrBrian
      AskWoody MVP

      From CVE-2017-0199 | Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API:

      “[Version] 1.1     21-Apr-2017     Corrected severity entries for Microsoft Office products. This is an informational change only. Customers who have successfully installed the update do not need to take any further action.”

    • #111323 Reply

      MrBrian
      AskWoody MVP

      From Hackers exploited Word flaw for months while Microsoft investigated:

      “To understand why it is so difficult to defend computers from even moderately capable hackers, consider the case of the security flaw officially known as CVE-2017-0199.

      The bug was unusually dangerous but of a common genre: it was in Microsoft software, could allow a hacker to seize control of a personal computer with little trace, and was fixed April 11 in Microsoft’s regular monthly security update.

      But it had traveled a rocky, nine-month journey from discovery to resolution, which cyber security experts say is an unusually long time. “

    • #120236 Reply

      MrBrian
      AskWoody MVP

      From An Inside Look at CVE-2017-0199 – HTA and Scriptlet File Handler Vulnerability (June 4, 2017):

      “FortiGuard Labs recently came across a new strain of samples exploiting the CVE-2017-0199 vulnerability. This vulnerability was fixed by Microsoft and the patch was released in April 2017. Due to its simplicity, it can be easily exploited by attackers. It has also been found in-the-wild by other vendors. We have also blogged about some samples recently found in spear phishing attack.”

      2 users thanked author for this post.
    • #134036 Reply

      MrBrian
      AskWoody MVP

      CVE-2017-0199 is listed as a “top 10” issue at McAfee’s Threat Landscape Dashboard (in both the Threats and Vulnerabilities tabs)

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Booby-trapped Word documents in the wild exploit critical Microsoft 0day

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.