Researchers at Google have notified Microsoft of a new Word zeroday vulnerability. This attack is currently being leveraged in the wild to target systems running Microsoft Word 2010. The attack can be successful simply by a user opening a maliciously crafted RTF file within Microsoft Word.
The full extent of the breaches caused by this zeroday vulnerability is unknown, but Microsoft has provided some information about the exploit payload and subsequent malware itself. The exploit is sophisticated enough to be able to bypass some built-in operating system security protections, such as ASLR. But even more interesting is the fact that the logic of the exploit will look to see if a system has had any new Microsoft patches installed after April 8, 2014 and if so, it will not install its secondary malware payload. April 8th, 2014 is of course next month's Patch Tuesday.
If the exploit is successful, it will copy a piece of malware to the affected users %temp% folder and then also enable the malware to start on the next system reboot by adding a registry entry to the current users RunOnce registry key. Neither of these two locations require Administrative rights to prevent the malware from successfully embedding in a system. However, least-privilege environments, such as those leveraging PowerBroker, can still help limit the future efforts of attackers in this case.
For example, if your employees are running with local Administrator privileges, as soon as an attacker successfully leverages this Word vulnerability, they could execute privileged commands, such as dumping all user account password hashes present on a system. An attacker could then leverage these account credentials to move laterally through your environment. On the flip side, however, if you are properly implementing a least-privilege environment where users are running as standard user accounts, then performing privileged functions, such as password dumps, would be prevented and only possible if the attackers employed a secondary privilege escalation exploit. In this particular attack, we have not witnessed the attackers using any secondary privilege escalation exploits to gain more privileges.
We have added an entry into our ZeroDay Tracker for this vulnerability, so check back as we will be updating it with any new information:
http://www.eeye.com/resources/security-center/research/zero-day-tracker/2014/20140324
Also, for customers leveraging PowerBroker for Windows in their environments, you can secondarily create a specific rule to block the malicious file hashes that are known so far:
MD5: af63f1dc3bb37e54209139bd7a3680b1
SHA1: 77ec5d22e64c17473290fb05ec5125b7a7e02828
For customers leveraging Retina for Vulnerability Management, you can use the following Retina Audits to detect vulnerable versions of Word:
33352 - Microsoft Office Remote Code Execution (2953095) (Zero-Day) - Windows
33353 - Microsoft Office Remote Code Execution (2953095) (Zero-Day) - Mac OS X
Check back to our blog for any updates as we learn any new information.
Further reading:
Microsoft Advisory - http://technet.microsoft.com/en-us/security/advisory/2953095
Microsoft Technical Blog - https://blogs.technet.microsoft.com/srd/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections/
CVE Entry - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1761
