Qualys Blog

www.qualys.com
wkandek

New 0-day out for Microsoft Word – Update2

Update2: McAfee published an analysis of an exploit for CVE-2014-1761. Very interesting and eye-opening, as everything is controlled through the RTF document itself:

  • The attackers use an listoverridecount level of 25, which is outside of the 0,1 or 9 specified in the standard. This confuses the RTF handler in Word and makes it possible to control the content of the program counter of the processor.
  • This gives the attacker the basis for arbitrary code execution. In this case the attackers are able to point the program counter to machine code that is included in the document itself, which makes the exploit very self-contained, no additional setup files are needed.

Conclusion: Patch this as quickly as possible, i.e. next Tuesday. The attacks are real and happening now. The exploit does not look that hard to replicate with the information provided. Beyond patching it makes sense to disable RTF opening any way, which is what the FixIt in KB2953095 does. It certainly looks as if there is more potential for this type of vulnerability that can be found with relatively little investment into file fuzzing. See Charlie Miller’s presentation on "dumb fuzzing" for some initial reading.

Update: Microsoft published a post on the SRD blog with more details, including some test data of the exploit with EMET. It seems that EMET ASLR enforcements efficiently counters the exploit. Good stuff!

Original: Microsoft acknowledged today in KB2953095 a vulnerability present in Microsoft Word and Microsoft Outlook that is being exploited in the wild. The vulnerability CVE-2014-1761 is in the file format parser for RTF (Rich Text Format) and could be used by an attacker to gain remote access to the targeted system. The attack vector is a document in RTF format that the victim would have to open with Word. If the target uses Outlook 2007, 2010 or 2013 for e-mail, please be aware that Word is the default viewer for e-mails, and that even looking at the e-mail in the preview pane could lead to an infection through this attack.

The current workaround is to disable RTF as a supported format in Microsoft Office. The advisory contains a link to FixIt 51010 that performs the action for the end-user here. A secondary recommended action is to work with plain text in e-mails, which is generally a recommended safeguard that prevents the "drive-by" characters of these types of attacks. It is described in this knowledgebase article at the Microsoft site.

Microsoft credits Drew Hintz, Shane Huntley, and Matty Pellegrino from the Google Security team with the discovery.

Please note that Mac users are affected. The advisory lists Microsoft Office for the Mac 2011 as vulnerable.

Stay tuned for more news as the situation is developing.

Leave a Reply