New Microsoft Office vulnerabilities?

[German]It seems that all versions of Microsoft Office contains vulnerabilities caused by embedded objects that can be used to execute (remote) code on a local machine. Here is an overview of the topic – as information for admins in business/corporate environment.


Advertising

I became aware of this topic via this tweet from security expert Kevin Beaumont, who addressed the issue.

It seems to be possible to misuse code from a Word document to execute programs and commands. At twitter it is discussed, whether this is a new or old attack vector – and my understanding is, that new attack vectors have been discovered. Yorick Koster has published more details within his blog in the article Click me if you can, Office social engineering with embedded objects.

Embedded objects in Office documents

The attack vector is not really new, the biggest vulnerability in Microsoft Office is the ability to embed objects in documents and then misuse their functions for attacks. Yorick Koster has collected some approaches in his blog post and points out new threats. One thread is to include the Shell.Explorer.1 OLE object (CLSID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}) within a Word document and let it act as an embedded Windows Explorer or an embedded Internet Explorer.

Yorick Koster describes an interesting scenario when the Shell.Explorer.1 object functions as an embedded Internet Explorer. In addition to embedding a web browser in a document, it also allows you to browse files on your local machine and browse files in remote locations (shares and websites). But this is not possible without user interaction.


Advertising

Download from Word with embedded Internet Explorer
(Source: securify.nl)

A click is required to activate in this mode. However, clicking on the object triggers the file download functionality of Internet Explorer, so that the user is shown a file download dialog. If the user clicks Run or Open (depending on the file format), the file is executed. Some file types (such as .exe files) may trigger a warning in a dialog box. However, this could be avoided by using other file types.

Proof of Concept via PowerShell

Yorick Koster provides a Proof of Concept (PoC) on his website. A PowerShell script attempts to create a Word document with Internet Explorer embedded.

Demo des PoC Word-Shell.Explorer.1-Angriff
(Source: securify.nl)

If the user opens the Word document and clicks on the embedded object, a warning appears. If he confirms this with Open, the computer is opened by Windows. The PoC then only has to be brought to the user with suitable methods. New in this scenario is the possibility to embed a URL with the 'bad' files in a Word document. 

Yorick Koster describes further scenarios using Microsoft Forms 2.0 HTML Control in his blog post. He also points out that content loaded from the Web is usually marked accordingly and is therefore loaded into Office in protected display mode. Then the objects concerned are blocked and cannot be executed. Administrators in corporate environments should read Kostner's original blog post to be prepared for such scenarios.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Security, Update and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *