Sophos Cloud Optix
Microsoft has issued an emergency security alert about an in-the-wild exploitable vulnerability in Word.
To clarify the jargon in that first sentence:
- A vulnerability is the flaw that caused the bug that could let crooks get in.
- An exploit is a way for the crooks to use a vulnerability in practice, and actually get in.
- In the wild means the crooks not only can get in, but are actively doing so already.
If that sounds rather bad, it is.
Usually, Microsoft’s updates appear in a regular, frequent and predictable way, published on Patch Tuesday, the second Tuesday of every month.
This is a good approach for patching vulnerabilities for which no known exploit yet exists, or exploits that were discovered by Microsoft’s own researchers, or holes that were found privately and responsibly disclosed to Microsoft so it could fix them before they became publicly known.
It gives Microsoft time to test, and test again, that the patches don’t cause problems that outweigh the security risk or, worse, open up yet more security holes.
And it lets IT teams plan their routine patching to minimise disruption.
But when the crooks start using an exploit before a patch is available, the hole is rather quaintly called a zero-day, or 0-day (pronounced “oh day”), because the maximum number of days you could have been patched ahead of the exploit was zero.
Many, if not most, software vulnerabilities are hard to exploit, meaning that even if you patch some time after the fix was available, you might get lucky.
The crooks might never actually manage to work out how to turn the vulnerability into a practicable exploit. (This is rather dramatically called weaponising a vulnerability.)
But in the case of a zero-day, the weaponisation has already happened.
That’s the case with this latest alert about what is known as CVE-2014-1761, as Microsoft explains:
Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
Sophos products detect booby-trapped files exploiting this vulnerability as Exp/20141761-A.
This sounds surprisingly like two existing, well-known Word exploits that have been widely used over the past few years.
These previous exploits are two and four years old respectively, and go by the tags CVE-2010-3333 and CVE-2012-0158.
SophosLabs researcher Gabor Szappanos (Szappi) recently published a paper analysing the historical record of these two vulnerabilities – both are generally exploited by what Microsoft above calls “specially crafted RTF files” – and discovered an interesting phenomenon.
Szappi noticed the 2010 and 2012 exploits were intially seen almost exclusively in attacks that were probably initiated for intelligence gathering purposes, presumably by hackers paid to conduct national or industrial espionage.
But over the past year, that has changed so that these exploits now appear frequently in broader attacks mounted by cybercriminals focused on making money through bots and zombies.
Don’t wait for that to happen here – mitigate the CVE-2014-1761 problem right away!
You can reduce your exposure to attacks delivered in RTF files with these steps:
1. Block RTFs at the gateway.
Consider blocking or quarantining these files by type or extension at your email gateway.
Sophos’s Email Appliance and UTM products can do this for you.
2. Stop RTFs opening in Word.
Consider using Microsoft’s Fix it solution to turn off Word’s ability to open and view RTF content altogether.
3. Use Microsoft’s EMET.
Consider using Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) as a way to sandbox Microsoft Office to make it harder to exploit.
EMET can prevent unpatched vulnerabilities from being successfully weaponised.
4. Switch to plain text in email.
If you use Outlook, consider switching your email to plain text.
This makes some emails, such as marketing mails and newsletters, harder to read.
But it limits your risk when reading emails containing booby-trapped content.
By the way, when a permanent fix for CVE-2014-1761 comes out, take the opportunity to make sure that you aren’t missing the patches for CVE-2010-3333 and CVE-2012-0158.
The fact that cybercrooks are still making extensive use of these holes, years on, suggests that many people still aren’t patched.
That might be because they aren’t patching at all, but seems equally likely that even users and IT administrators who try to be faithful about Microsoft updates may be lacking one or two fixes, exposing them to the very holes that cybercriminals are adept at jumping through.
NB. Article updated at 2014-03-25T14:30Z to clarify that only a workaround is currently available from Microsoft, not a permanent patch.
So where’s the patch? It’s not on Windows Update, and none of the pages you’ve linked to mention a patch; they only mention workarounds.
Correct: I’ve updated the article to make this quite clear.
For a non techie, what does this mean? That Word files coming into your email as attachments could have a virus or a worm? What if you don’t have a workgroup, etc and don’t often receive Word files from someone else? What if you only open emails from sources you trust?
Loosely speaking, yes, there could be a virus or worm in a Word file. (Strictly speaking, most threats these days aren’t viruses or worms – i.e. they don’t spread onwards from your computer, they infect you and stay put. But the danger to you is the same. I’ll use the word “malware,” meaning “malicious software,” in place of “virus.”)
The technical idea is that a crook deliberately creates a Word file that includes a fragment of a malware program, mixed in with the document, where you simply don’t expect it.
Then the crook bends and twists the Word file, so to speak, so that when you open it, Word crashes (that’s the “vulnerability” part) but in such a way that the fragmentary program hidden inside gets to run (that’s the “exploit” part).
If that happens, simply opening up the booby-trapped Word file to read it will be enough for the crook to infect you with malware.
However, in this particular incident, the only so-far-known way to get the attack to work is by using a Word file in what’s known as RTF (rich text format).
Most people exchange Word files in DOC or DOCX format, and don’t use RTF files at all. So the Microsoft “Fix It” mentioned above will protect you a lot – it prevents your copy of Word from opening RTF files, so if someone sends you an RTF, it’s essentially harmless because Word will ignore it.
As for only opening attachments from email sources you trust: that is a VERY good idea! If only everyone would do it!
It isn’t 100% foolproof (your trusted friend could be infected, and might pass on an infected file by mistake), but it will GREATLY reduce your risk. Most attacks of the sort described in the article don’t come from people you know. They come from people who *pretend* to know you or to have business with you.
(Here an example of how the guys try to trick you: “Here is your invoice for charges of $263 on your card. To see your account or to dispute the charges, please open the attached file.” Or they say: “This is [Well Known Courier Company]. We tried to deliver a parcel to [your business address] but failed. Please open the attached file for instructions on how to arrange a convenient time for delivery.” All a pack of lies, but lots of people assume there is no harm in looking, just in case – *even though they have never heard of the sender before*. Stick to trusted email sources, and use the Fix It to block RTF files, and a lot of the risk described above is removed.)
Patch ? I see no patch. Just a security advisory. Nothing in WSUS either.
Sorry – article has been updated to make this clear. There is nothing in WSUS yet [2014-03-25T14:30Z]. See above for mitigations, and for what Sophos Anti-Virus blocks exploit files as…but, indeed, no permanent “immunisation” update yet.
Do you know if this applies to those of us who have not seen a reason to update to Office 2010? Are 2007 and 2003 also vulnerable?
Office 2003 and 2007 are on Microsoft’s list (click on the “Security Advisory” image above to go to the relevant Microsoft advisory page).
So, yes, they are vulnerable (i.e. contain the buggy code).
But, as mentioned above, not every vulnerability can be turned into a working exploit, and so far, the only known successful attacks are against Office 2010.
Never say never, of course…for all we know, a crook could figure out tonight how to extend the attack to 2003 and 2007. But at the moment, you’re OK if you do not have Office 2010.
Similarly, a crook might find out how to extend the attack to DOC or DOCX files, not only RTFs. But at the moment, blocking RTFs via the Fix It is a good stopgap.
Ok so what happens if an infected RTF file is opened by say wordpad or another program like open office, would that execute the malware ???
No. Open Office doesn’t use any of the software components from Microsoft Word, so it doesn’t have this bug. And as far as I know, Wordpad doesn’t either (because Wordpad works without Office installed).
So if you use the Microsoft Fix It, which means you can’t open RTFs in Word (by accident or design), and then you _do_ happen to receive an RTF, and you _do_ know the sender, and you _are_ ready to trust the file…you could always open it with Wordpad instead, just to have a look. It might be very slightly less convenient than your usual workflow but it effectively lets you have your cake and eat it.
just change the default program for RTF to wordpad then if word is installed and it is set for that file extension.
Actually, it’s not really an out-of-band-patch. What the fix-it does, is block some functionality (opening of rtf-files), probably via a registrykey. It is standard-procedure for Microsoft to provide quick mitigating solutions, and this fix-it falls in line with this standard behaviour.
True. In fact, I’ve removed that bit about ‘out-of-band’ fixes. As you say, there isn’t a permanent “that bug no longer exists” update yet, just a workaround.
.
Another solution is to not use Microsoft Word at all, there are several other alternatives – such as LibreOffice, OpenOffice, etc. They themselves may have vulnerabilities too.
I don’t know the details of the vulnerability, but wouldn’t it be easy to fool the user by changing the extension to .doc? Most programs don’t look at the extension to read the file, they only look at the internal format.
This means that until a patch comes out, you should distrust any extension associated with Word.
My understanding is that the “Fix It” turns off the code inside Word that actually processes RTF content.
So the extension is irrelevant – if you load a file called THIS.DOC or THAT.DOCX that is, in fact, a misnamed but booby-trapped RTF, then Word will simply not process the file (it effectively no longer knows how to). So the exploit can’t trigger.
I always get the best looks from the business (and even technical teams!) with item #4: Switch to plain text in email.
Well…that’s Microsoft’s suggestion, bless their hearts! I thought it was great! I suspect that about 5% of the emails I get actually benefit from HTML, and of that 5%, about 0.5% actually require it. But, as you say, not a popular suggestion.
Q. How do I put a cute wallpaper image behind my emails in plain text mode?
A. You don’t. That’s one of the benefits of plain text email.
Q. WHAT, NO MORE WALLPAPER? ARE YOU KIDDING ME? WHAT ABOUT MY LOLCATS?
I don’t (I think) have Word installed on my Win7 x64 system. I use Wordpad for viewing RTF files. Is this also vulnerable?
To the best of my knowledge, Wordpad is not vulnerable. (Wordpad works without Office installed, so it doesn’t use the buggy components.)
Does this apply to Word 2011 (Mac) as well?
No. And yes 🙂 According to Microsoft’s list of at-risk products, the vulnerable code is in the Mac version of Word.
But the only attack files so far seen, and the ones that provoked Microsoft to issue the alert, are RTF files targeting Office 2010 on Windows.
There’s a link in the article to Microsoft’s report on the actual techie details of the exploit – as you will see if you look at it, the attack is non-trivial, and rather specific. I dont think the current attack files could be adapted to work on a Mac: an attacker would pretty much have to start from scratch to weaponise the bug on OS X.
If you’re worried, why not set Pages as the default program to open document attachments on your Mac? (If you have Mavericks, Pages is now free.)
That way you won’t get any surprises, and you can re-load the file later in Word if you need or want to.
Pages is sometimes overkill for a text file.
TextEdit comes on every Mac and works great on rtf files.
Perfectly true! (I suggested Pages because it’s closer to Word in functionality – if you’re expecting a Word-like environment, TextEdit might be a bit startlingly basic, but if all you want to do is take a look at an RTF, it’s great.)
Hi, sorry for the probably stupid question, but what are RTF files? Could you please give me an example? Thank you.
RTF is “rich text format.” It’s just a way of saving Word files, similar to DOC or DOCX, except that the file is stored using a text-based representation.
So, just as you can have images in JPG, PNG, BMP format, and so on, you can save documents in DOC, DOCX, RTF and more.
A different part of the Word software is used to process RTF files when you open them. It’s that part of Word 2010 that the crooks have worked out how to abuse.
Using the Fix It listed above lets you turn of the RTF-loading part of Word – so DOC and DOCX files will load in but RTF-type files won’t. That increases your safety.
RTF files can actually be opened in a text editor like NOTEPAD, and the raw “rich text” viewed, something like this:
{\rtf1\ansi\ansicpg1252\uc1\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\…\fprq2{\*\panose 02020603050405020304}Times New Roman;}…
…and so on. Note the text “rtf1” at the start – that denotes it’s an RTF file. It’s just one of many ways of encoding and storing Word documents.
Thank you very much for the excellent and thorough explanation!
Use Microsoft’s EMET. is very good if you set it up right & don’t use word.
LibreOffice, OpenOffice is better
The reference to the Sophos detection is at odds with the Sophos page at
http://www.sophos.com/en-us/threat-center/threat-analyses/vulnerabilities/VET-000590.aspx
Do you have a reference for the Sophos detection of this vulnerability?
The Sophos detection name is as given in the article: Exp/20141761-A.
For some reason, the Labs guys don’t put the detection names in the vulnerablity articles. I’m assuming they don’t list the detections because often there’s a huge list of possibly-relevant names, e.g. for an IE Cumulative Update…but for Microsoft bulletins that deal with a single vulnerability, it might be worth doing so.
I’ll pass on your comment as a suggestion, if you don’t mind 🙂
This makes me thankful to have switched to Open Office, even though I don’t like it nearly as much as the older version of Microsoft Word I used to use. Will a good, comprehensive internet security program, like Kaspersky or Trend Micro protect from this type of malware?
I can tell you whether Sophos will protect you 🙂 (Blocked as Exp/20141761-A, as mentioned above.)
As for other products…you’ll have to ask them. A decent product ought to – and if you’ve got “defence in depth” you should get multiple chances to stop malicious objects, e.g. at your email gateway (if sent as an attachment); in your UTM web filter (if part of a web page); in your browser; on download but before the file actually opens up. If you stop the file anywhere before it “gets into” Microsoft Word, you win.
Hmmmm. What about, in OS X, using TextEdit to open RTF files, which are their main format? Would highlighting, copying and pasting the content into a blank Word document pass along the malware?
No. Pasting the file out of TextEdit might pass along any *formatting* mangulations caused by TextEdit, but pasting text into Word doesn’t generate an RTF file.
You only get an RTF out of Word if you explicitly save as an RTF the content you pasted into it. Of course, you don’t have to do that – you could save it as a DOCX, for example. (While this scare is on, you might as well avoid saving RTFs, so you don’t panic the next guy 🙂
Anyway, the RTFs generated by the crooks were not produced naturally by Word’s “Save As RTF” option. They were, to use the jargon, “specially crafted,” probably by hand or using a custom-made RTF-bodging script.
Isn’t the issue a little more extensive than just Word?
https://technet.microsoft.com/en-us/security/advisory/2953095
“using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer.”
” Note that by default, Microsoft Word is the email reader in Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013.”
The implication of these comments appears to be that just viewing a specially crafted RTF email message in the default configuration of Outlook leaves you vulnerable.
This seems to be much more serious than the typical opening an attached file to get infected type of attack that your article seems to imply.
Yes, Outlook is affected, though the bug *is in Word*, so if you apply the Fix It, you prevent RTFs from rendering in Word-via-Outlook.
Also, we do mention “switch to plain text email in Outlook” (as suggested by Microsoft) above.
I originally mentioned Outlook explicitly in the article, but it was hard to avoid making it sound OTT (as though there was also a bug in Outlook itself), given that the flaw is in Word and the Word-based workaround sorts out the issue for any application that uses Word for rendering.
I might add something in given that it seems the preview pane in Outlook could be enough on its own. (Click that Fix It, I reckon!)
Is it possible to get clarification of what an “RTF email message” looks like and how it can be identified? For example, does it necessarily have an attachment such that the message is listed with a paperclip in the list of messages inside Outlook? Based on the section “Differences between the message formats” seen at http://office.microsoft.com/en-us/outlook-help/change-the-message-format-to-html-rich-text-format-or-plain-text-HA102749169.aspx, I’m not sure that the malicious message will necessarily show with attachments. It’s amazing that Microsoft is not more clear about this and has not done more to publicize the issue.
Outlook emails created in RTF format are not attachments, but rather a separate message part just like plain text and HTML. The Outlook renderer is not vulnerable to this flaw.
If someone attaches an RTF it will show up as an attachment.