Categories: SecurityWorkspace

Attackers Hit Microsoft Word Through Unpatched Flaw

Malicious hackers have exploited a previously-unknown, unpatched flaw in Microsoft Word, the tech titan has warned.

The attacks took advantage of a freshly-uncovered weakness (a “zero day” flaw) in how Word parses Rich Text Format files combining it with a bypass of Microsoft’s address space layout randomization (ASLR). ASLR is a technology that strengthens security by randomising the memory layout of an executing program, decreasing the probability an exploit will work.

Exploits could take place without the user clicking a thing, as code could be executed simply by viewing the preview pane  in Outlook. However, Microsoft said it had never seen an attack using this method.

Zero-day Word attack

“At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010,” the firm said in an advisory. Attacks on Word 2013, the latest version of the software, failed.

“The attack detected in the wild is limited and very targeted in nature. The malicious document is designed to trigger a memory corruption vulnerability in the RTF parsing code. The attacker embedded a secondary component in order to bypass ASLR, and leveraged return-oriented-programming [ROP] techniques using native RTF encoding schemes to craft ROP gadgets.”

In any case, the shellcode used in the zero-day attacks would not perform any additional malicious action if there were updates installed after 8 April 2014.

The malware dropped by the shell was a “generic” backdoor, Microsoft said. It was written in Visual Basic 6 and communicated over HTTPS, but could run additional programs when launched.

Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) should block attacks if users can turn it on. Otherwise, they should block RTF files completely or ensure Word opens RTF documents in Protected View, which can be done via Trust Center settings.

A Fix it solution has been made available within the advisory. Mac users running Word are affected too.

Drew Hintz, Shane Huntley, and Matty Pellegrino from the Google security team were credited with finding the attacks.

Are you a security expert? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

5 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

7 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

9 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

10 hours ago