Latest Word zero-day similar to exploits in other targeted attacks

Exploits involved booby-trapped Rich Text Format file and Microsoft Outlook email

Exploits aimed at the recently discovered zero-day vulnerability in Microsoft Word are similar to those used last year by hackers suspected of gathering intelligence for nation states or private companies, a researcher says.

[IE zero-day flaw shows kinks in Microsoft patching]

Microsoft disclosed the vulnerability Monday in a security bulletin that said the flaw was being exploited in "limited, targeted attacks" directed at Word 2010. The same vulnerability is also in Word 2003, 2007, 2013 and 2013 RT. The latter is the operating system for Windows tablets running on ARM processors.

The exploits included a booby-trapped Rich Text Format (RTF) file and a specially crafted mail in Microsoft Outlook. Both exploits targeted the previously unknown vulnerability when Word is used as the email viewer.

The RTF exploit is similar to those used in zero-day attacks last year against Microsoft Office, security vendor Sophos told CSOonline Tuesday. The older exploits were also used in targeted attacks, known in the industry as an advanced persistent threat (APT).

"All of them (exploits) were discovered in almost an identical manner -- used in a single attack against a single organization in the wild when they were zero-days," Chester Wisniewski, senior security adviser for Sophos, said. "So when I heard about this thing (latest exploit), immediately I'm like, 'Oh, it's probably the same guys.'"

Over the last half dozen years or so, every RTF exploit targeting a zero-day vulnerability was being used to steal information from a particular target, Wisniewski said.

APT attacks are typically launched against companies in a specific industry, such as defense or financial services. The hackers are usually paid to conduct national or industrial espionage.

While there's no immediate danger for most companies from the latest threat, similar exploits will eventually be used by mainstream hackers focused on compromising PCs to steal online banking credentials, credit card numbers and other personal data.

Last year's RTF exploits were found in money-stealing malware families, most notably Zbot, three months after the exploits were discovered in APT attacks. Zbot is used primarily to steal online banking credentials, including usernames, passwords and one-time access codes used in two-factor authentication.

With the latest exploit, none of Sophos' corporate customers have reported finding it in their systems.

"At this point, the garden variety bad guys have not figured it out yet, which is good news," Wisniewski said. "They will figure it out, but at this point, 24 hours in, we've had zero hits in our telemetry."

Office is a focus of many APT attacks because large companies are generally slower to patch the productivity suite than the Windows operating system, Wisniewski said. That's because patching Office in thousands of computers can be a major undertaking.

[Microsoft offers quick fix for zero-day vulnerability]

"If you were a company with 25,000 PCs in defense, I don't know that you can roll out a fix fast enough," Wisniewski said. "You're still going to be vulnerable for a while."

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecurity

More about APTMicrosoftSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts