Attackers Hit Microsoft Word Through Unpatched Flaw

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

A fresh attack on Microsoft Word uses an unpatched flaw to bypass protections and install backdoors on victims’ systems

Malicious hackers have exploited a previously-unknown, unpatched flaw in Microsoft Word, the tech titan has warned.

The attacks took advantage of a freshly-uncovered weakness (a “zero day” flaw) in how Word parses Rich Text Format files combining it with a bypass of Microsoft’s address space layout randomization (ASLR). ASLR is a technology that strengthens security by randomising the memory layout of an executing program, decreasing the probability an exploit will work.

Microsoft Office OnlineExploits could take place without the user clicking a thing, as code could be executed simply by viewing the preview pane  in Outlook. However, Microsoft said it had never seen an attack using this method.

Zero-day Word attack

“At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010,” the firm said in an advisory. Attacks on Word 2013, the latest version of the software, failed.

“The attack detected in the wild is limited and very targeted in nature. The malicious document is designed to trigger a memory corruption vulnerability in the RTF parsing code. The attacker embedded a secondary component in order to bypass ASLR, and leveraged return-oriented-programming [ROP] techniques using native RTF encoding schemes to craft ROP gadgets.”

In any case, the shellcode used in the zero-day attacks would not perform any additional malicious action if there were updates installed after 8 April 2014.

The malware dropped by the shell was a “generic” backdoor, Microsoft said. It was written in Visual Basic 6 and communicated over HTTPS, but could run additional programs when launched.

Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) should block attacks if users can turn it on. Otherwise, they should block RTF files completely or ensure Word opens RTF documents in Protected View, which can be done via Trust Center settings.

A Fix it solution has been made available within the advisory. Mac users running Word are affected too.

Drew Hintz, Shane Huntley, and Matty Pellegrino from the Google security team were credited with finding the attacks.

 Are you a security expert? Try our quiz!