Fresh Microsoft Office zero-day executes code on fully patched applications – IT PRO

Fresh Microsoft Office zero-day executes code on fully patched applications – IT PRO

Fresh Microsoft Office zero-day executes code on fully patched applications – IT PRO 0 0 charlie

View all Business
View all Cloud
View all Hardware
View all Infrastructure
View all Security
View all Software
View all Technology
A new Microsoft Office zero-day vulnerability has been discovered by security researchers that leads to code execution.
The vulnerability involves exploiting maliciously crafted documents (maldocs) to load HTML code which then uses the ms-msdt Microsoft Office Uniform Resource Identifier (URI) scheme to execute PowerShell code.
Office URIs were introduced in Office 2010 Service Pack 2 and allow Office applications to be invoked using various commands.
Ms-msdt is a URI that invokes a troubleshooting pack at the command line or as part of an automated script and enables additional options without user input.
The exploit is an example of ways cyber attackers are bypassing Microsoft’s tougher rules on macro-enabled documents – a method of malware delivery previously very popular until Microsoft’s intervention earlier this year.
In testing the vulnerability, independent security researcher Kevin Beaumont noticed that Defender for Endpoint was not detecting the execution of the code embedded in the maldocs and that it would still work when Office macros were fully disabled.
Other researchers have spotted Defender for Endpoint and the free version of the anti-malware tool picking up the malicious sample, though.
Beaumont also noted the Office’s limited-functionality Protected View does initiate in the most up-to-date Office versions, requiring the user to click out of the safer mode for the document to execute.
However, if the maldoc is saved in a Rich Text Format (RTF), then the malicious code can run even if the document hasn’t been opened, via the Windows Explorer preview tab.
Okay, the preview pane one is pretty wild pic.twitter.com/RYtH9Bb4rm
Beaumont said he was able to exploit the vulnerability in Office versions 2013 and 2016, and added that he was unable to reproduce the exploit on the current public and insider builds.
Other researchers have been able to test the vulnerability further, with one achieving a working exploit using Windows 11 and an April version of Office Pro Plus. Another was able to replicate it on a fully patched Microsoft Office 2021.
Despite it not currently believed to be affecting the most recent versions, Beaumont – a former Microsoft-employed cyber security expert – said the zero-day is still noteworthy given that many businesses run older channels of Office software.
“Detection is probably not going to be great, as Word loads the malicious code from a remote template (webserver), so nothing in the Word document is actually malicious,” he said.
“Microsoft are going to need to patch it across all the different product offerings, and security vendors will need robust detection and blocking. Microsoft will probably point towards Protected View, however, Protected View also applies by default to all macros, and Office macro malware is most definitely a major problem regardless.
“Additionally, you can use MS Protocol URI schemes in Outlook emails,” he added.
It’s currently unclear how Microsoft intends to respond to the discovery and how quickly a patch will be made available.
IT Pro contacted Microsoft for a response but it did not reply at the time of publication.
The 3D trends report
Presenting one of the most exciting frontiers in visual culture
The financial services survival guide
How uncertainty and disruption is forcing financial services to innovate
Building a better password strategy for your business
Exploring the strategies and exploits that hackers are using to circumvent password security measures
Market guide for web, product, and digital experience analytics
Analyse customer and user behaviour, digital product performance and usage patterns to improve the digital customer experience
Microsoft’s GitHub Copilot sued over “software piracy on an unprecedented scale”
No Wi-Fi is better than slow Wi-Fi
LockBit repeats 'PR stunt' as Thales ransomware investigation reveals no breach
ITPro is part of Future plc, an international media group and leading digital publisher. Visit our corporate site www.futureplc.com
© Future Publishing Limited, Quay House, The Ambury, Bath BA1 1UA. All rights reserved. England and Wales company registration number 2008885

source

    Would you like to receive notifications on latest updates? No Yes