Focused attacks have already been identified against a zero-day vulnerability in Microsoft Word 2010, leading Microsoft to issue an exclusive security advisory and provide a Fix-it solution for users until a patch is prepared.
Currently, the attacks are concentrating on Microsoft Word 2010, but the tech giant stated the vulnerability affects Word 2003, 2007, 2013, and 2013 RT, in addition to Office for Mac, Office Web Apps 2010 and 2013, and Word Viewer.
The exploit is related to an issue within the management of RTF files. Microsoft furthermore identified that there’s a theoretical technique by which an attacker could trigger the vulnerability in Outlook, however that technique hasn’t been seen in the wild yet.
“The attack detected in the wild is limited and very targeted in nature. The malicious document is designed to trigger a memory corruption vulnerability in the RTF parsing code. The attacker embedded a secondary component in order to bypass ASLR, and leveraged return-oriented programming techniques using native RTF encoding schemes to craft ROP gadgets,” Chengyun Chu and Elia Florio of the MSRC engineering team wrote in a blog post analyzing the exploit.
“When the memory corruption vulnerability is triggered, the exploit gains initial code execution and in order to bypass DEP and ASLR, it tries to execute the ROP chain that allocates a large chunk of executable memory and transfers the control to the first piece of the shellcode (egghunter). This code then searches for the main shellcode placed at the end of the RTF document to execute it.” they added.
The shellcode alone includes a variety of components meant to detect whether it’s being run within an environment where it’s being examined. But this technique is nothing new and has been seen for several years.
The shellcode utilized in the Word exploit campaign has several levels of encryption and also checks for debugging flags and indicators that the code is running within a sandbox. The shellcode also has a function that looks at the patch level of the compromised machine to discover when the last update was installed.
“The shellcode will not perform any additional malicious action if there are updates installed after April 8, 2014. This means that even after successful exploitation with reliable code execution, after this date the shellcode may decide to not drop the secondary backdoor payload and simply abort the execution. When the activation logic detects the correct condition to trigger, the exploit drops in the temporary folder a backdoor file named ‘svchost.exe’ and runs it. The dropped backdoor is a generic malware written in Visual Basic 6 which communicates over HTTPS and relies on the execution of multiple windows scripts via WScript.Shell and it can install/run additional MSI components,” the Microsoft researchers said.