What you need to know
- Researchers have detailed how a recent malware campaign uses Office documents to get malware onto people's PCs.
- The attack exploits a vulnerability in Windows 10 and tricks people into leaving themselves exposed.
- Microsoft has mitigations for the vulnerability, but workarounds have been discovered.
Details have come out regarding a vulnerability in Windows that left some people open to attacks that utilize Office documents. Microsoft disclosed the Windows CVE-2021-40444 zero-day vulnerability on Tuesday, September 7, 2021, but the company did not share many details about it at the time. Microsoft explained that the vulnerability could be exploited by using ActiveX controls contained in Office documents. This method could be used to get malware onto computers. Now, we have more details about the issue.
Bleeping Computer gathered comments from several security experts regarding the vulnerability to illustrate how it works to attackers' advantages. For reference: Documents open in Protected View in Office if a Mark of the Web (MotW) is detected, signaling that a document originated on the Internet and could be dangerous. This security measure, however, isn't a foolproof solution.
Vulnerability analyst Will Dormann explained some of the flaws in this setup:
If the document is in a container that is processed by something that is not MotW-aware, then the fact that the container was downloaded from the Internet will be moot. For example, if 7Zip opens an archive that came from the Internet, the extracted contents will have no indication that it came from the Internet. So no MotW, no Protected View.Similarly, if the document is in a container like an ISO file, a Windows user can simply double-click on the ISO to open it. But Windows doesn't treat the contents as having come from the Internet. So again, no MotW, no Protected View.
There are also some types of files, such as RTF files, that don't open in Protected View, which causes security issues.
Inspired by @buffaloverflow, I tested out the RTF attack vector. And it works quite nicely.
WHERE IS YOUR PROTECTED MODE NOW? pic.twitter.com/qf021VYO2RInspired by @buffaloverflow, I tested out the RTF attack vector. And it works quite nicely.
WHERE IS YOUR PROTECTED MODE NOW? pic.twitter.com/qf021VYO2R— Will Dormann (@wdormann) September 9, 2021September 9, 2021
Microsoft has mitigations in place to prevent ActiveX controls from running in Internet Explorer, but researchers have found workarounds.
To illustrate the viability of these types of attacks, here's a hypothetical that utilizes several attack methods we've reported on over the last few months.
Suppose you receive an email that appears to be from Futurenet.com, but instead, it's actually from Futurenеt.com (note the second "e" being different). This email would be from a spoof domain that utilizes an old-school tactic that mixes characters from the Latin and Cyrillic alphabets together. At a quick glance, the email looks legitimate. Now imagine this trick combined with a recent bug in Outlook that failed to differentiate between Latin and Cyrillic characters, causing malicious email addresses to appear alongside genuine contact cards within Outlook.
In the aforementioned hypothetical and seemingly innocent email is a Word document claiming to be about something routine, such as a newsletter that needs reading or a form that needs filling out. When you click the hypothetical document, it shows up in Protected View because it's a document from the web. Many people will ignore that warning and click "enable editing" on any document they open. People are even more likely to enable editing on a document that appears to be from a genuine contact.
By clicking the enable edit button, your PC is now exposed to malicious code, like that found in recent attacks highlighted by researchers. The recent "Windows 11 Alpha" campaign is a great example of this type of attack. It claims that people need to click a button to make a document from Windows 11 compatible with Windows 10. People unfamiliar with Windows 11 are likely to believe a prompt like this and open their PC to an attack.
Threat actors often take advantage of a combination of security vulnerabilities and people's ignorance or innocence. Microsoft may be able to patch one set of vulnerabilities, but others can be discovered. At least some people will continue to be ignorant or naïve, which is why attack campaigns continue to be successful.
