{"id":6780,"date":"2018-08-30T01:08:17","date_gmt":"2018-08-29T23:08:17","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=6780"},"modified":"2021-11-12T14:56:38","modified_gmt":"2021-11-12T13:56:38","slug":"new-microsoft-office-vulnerabilities","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2018\/08\/30\/new-microsoft-office-vulnerabilities\/","title":{"rendered":"New Microsoft Office vulnerabilities?"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2012\/07\/Office1.jpg\" width=\"55\" align=\"left\" height=\"60\">[<a href=\"https:\/\/www.borncity.com\/blog\/2018\/08\/30\/neue-microsoft-office-schwachstellen\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]It seems that all versions of Microsoft Office contains vulnerabilities caused by embedded objects that can be used to execute (remote) code on a local machine. Here is an overview of the topic &#8211; as information for admins in business\/corporate environment. <\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg06.met.vgwort.de\/na\/8ab9180769b84a2a84014082ba61cc81\" width=\"1\" height=\"1\">I became aware of this topic via <a href=\"https:\/\/twitter.com\/GossiTheDog\/status\/1034333152276299776\" target=\"_blank\" rel=\"noopener noreferrer\">this tweet<\/a> from security expert Kevin Beaumont, who addressed the issue. <\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p lang=\"en\" dir=\"ltr\">Speaking of Microsoft 0day, here's a new Office code execution technique (all versions) which MS aren't planning to fix by <a href=\"https:\/\/twitter.com\/yorickkoster?ref_src=twsrc%5Etfw\">@yorickkoster<\/a> <a href=\"https:\/\/t.co\/JvAsj1QJdo\">https:\/\/t.co\/JvAsj1QJdo<\/a> <a href=\"https:\/\/t.co\/f7mROqf8JC\">pic.twitter.com\/f7mROqf8JC<\/a><\/p>\n<p>\u2014 Kevin Beaumont (@GossiTheDog) <a href=\"https:\/\/twitter.com\/GossiTheDog\/status\/1034333152276299776?ref_src=twsrc%5Etfw\">28. August 2018<\/a><\/p><\/blockquote>\n<p><span id=\"preserve779c514a5032485989b267e5d2f321dd\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>It seems to be possible to misuse code from a Word document to execute programs and commands. At twitter it is discussed, whether this is a new or old attack vector &#8211; and my understanding is, that new attack vectors have been discovered. Yorick Koster has published more details within his blog in the article <a href=\"https:\/\/web.archive.org\/web\/20180829050233\/https:\/\/securify.nl\/blog\/SFY20180801\/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html\" target=\"_blank\" rel=\"noopener noreferrer\">Click me if you can, Office social engineering with embedded objects<\/a>. <\/p>\n<h2>Embedded objects in Office documents<\/h2>\n<p>The attack vector is not really new, the biggest vulnerability in Microsoft Office is the ability to embed objects in documents and then misuse their functions for attacks. Yorick Koster has collected some approaches in his blog post and points out new threats. One thread is to include the Shell.Explorer.1 OLE object (CLSID <em>{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}<\/em>) within a Word document and let it act as an embedded Windows Explorer or an embedded Internet Explorer. <\/p>\n<p>Yorick Koster describes an interesting scenario when the Shell.Explorer.1 object functions as an embedded Internet Explorer. In addition to embedding a web browser in a document, it also allows you to browse files on your local machine and browse files in remote locations (shares and websites). But this is not possible without user interaction.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"Download from Word with embedded Internet Explorer\" alt=\"Download from Word with embedded Internet Explorer\" src=\"https:\/\/web.archive.org\/web\/20180829050237\/https:\/\/securify.nl\/blog\/SFY20180801\/File-Download-dialog.png\" width=\"640\" height=\"401\"><br \/>(Source: securify.nl) <\/p>\n<p>A click is required to activate in this mode. However, clicking on the object triggers the file download functionality of Internet Explorer, so that the user is shown a file download dialog. If the user clicks Run or Open (depending on the file format), the file is executed. Some file types (such as .exe files) may trigger a warning in a dialog box. However, this could be avoided by using other file types. <\/p>\n<h2>Proof of Concept via PowerShell <\/h2>\n<p>Yorick Koster provides a Proof of Concept (PoC) on his website. A PowerShell script attempts to create a Word document with Internet Explorer embedded. <\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"Demo des PoC Word-Shell.Explorer.1-Angriff\" alt=\"Demo des PoC Word-Shell.Explorer.1-Angriff\" src=\"https:\/\/web.archive.org\/web\/20180829050237\/https:\/\/securify.nl\/blog\/SFY20180801\/Shell.Explorer.1-demo.gif\" width=\"640\" height=\"480\"><br \/>(Source: securify.nl)  <\/p>\n<p>If the user opens the Word document and clicks on the embedded object, a warning appears. If he confirms this with Open, the computer is opened by Windows. The PoC then only has to be brought to the user with suitable methods. New in this scenario is the possibility to embed a URL with the 'bad' files in a Word document.&nbsp; <\/p>\n<p>Yorick Koster <a href=\"https:\/\/web.archive.org\/web\/20180829050233\/https:\/\/securify.nl\/blog\/SFY20180801\/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html\" target=\"_blank\" rel=\"noopener noreferrer\">describes<\/a> further scenarios using Microsoft Forms 2.0 HTML Control in his blog post. He also points out that content loaded from the Web is usually marked accordingly and is therefore loaded into Office in protected display mode. Then the objects concerned are blocked and cannot be executed. Administrators in corporate environments should read Kostner's original blog post to be prepared for such scenarios. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]It seems that all versions of Microsoft Office contains vulnerabilities caused by embedded objects that can be used to execute (remote) code on a local machine. Here is an overview of the topic &#8211; as information for admins in business\/corporate &hellip; <a href=\"https:\/\/borncity.com\/win\/2018\/08\/30\/new-microsoft-office-vulnerabilities\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,22],"tags":[125,69],"class_list":["post-6780","post","type-post","status-publish","format-standard","hentry","category-security","category-update","tag-office","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/6780","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=6780"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/6780\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=6780"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=6780"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=6780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}