Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Exploits

Zero Day Impacts Most Versions of Microsoft Word

Paul Anderson by Paul Anderson
March 27, 2014 - Updated on June 3, 2022
in Exploits
0
Microsoft Word zero day
74
SHARES
1.2k
VIEWS
Share on FacebookShare on Twitter

Focused attacks have already been identified against a zero-day vulnerability in Microsoft Word 2010, leading Microsoft to issue an exclusive security advisory and provide a Fix-it solution for users until a patch is prepared.

You might also like

Plex media server seen exploited in the wild utilizing a 3 year old RCE

New TPM 2.0 exploit attackers to access or overwrite sensitive data

Google reports a rise in ransomware attacks

Currently, the attacks are concentrating on Microsoft Word 2010, but the tech giant stated the vulnerability affects Word 2003, 2007, 2013, and 2013 RT, in addition to Office for Mac, Office Web Apps 2010 and 2013, and Word Viewer.

The exploit is related to an issue within the management of RTF files. Microsoft furthermore identified that there’s a theoretical technique by which an attacker could trigger the vulnerability in Outlook, however that technique hasn’t been seen in the wild yet.

“The attack detected in the wild is limited and very targeted in nature. The malicious document is designed to trigger a memory corruption vulnerability in the RTF parsing code. The attacker embedded a secondary component in order to bypass ASLR, and leveraged return-oriented programming techniques using native RTF encoding schemes to craft ROP gadgets,” Chengyun Chu and Elia Florio of the MSRC engineering team wrote in a blog post analyzing the exploit.

“When the memory corruption vulnerability is triggered, the exploit gains initial code execution and in order to bypass DEP and ASLR, it tries to execute the ROP chain that allocates a large chunk of executable memory and transfers the control to the first piece of the shellcode (egghunter). This code then searches for the main shellcode placed at the end of the RTF document to execute it.” they added.

The shellcode alone includes a variety of components meant to detect whether it’s being run within an environment where it’s being examined. But this technique is nothing new and has been seen for several years.

The shellcode utilized in the Word exploit campaign has several levels of encryption and also checks for debugging flags and indicators that the code is running within a sandbox. The shellcode also has a function that looks at the patch level of the compromised machine to discover when the last update was installed.

“The shellcode will not perform any additional malicious action if there are updates installed after April 8, 2014. This means that even after successful exploitation with reliable code execution, after this date the shellcode may decide to not drop the secondary backdoor payload and simply abort the execution. When the activation logic detects the correct condition to trigger, the exploit drops in the temporary folder a backdoor file named ‘svchost.exe’ and runs it. The dropped backdoor is a generic malware written in Visual Basic 6 which communicates over HTTPS and relies on the execution of multiple windows scripts via WScript.Shell and it can install/run additional MSI components,” the Microsoft researchers said.

Tags: exploitMicrosoft Wordzero day
Share30Tweet19
Paul Anderson

Paul Anderson

Editor and chief at ZeroSecurity. Expertise includes programming, malware analysis, and penetration testing. If you would like to write for ZeroSecurity, please click "Contact us" at the top of the page.

Recommended For You

Plex media server seen exploited in the wild utilizing a 3 year old RCE

by Kyle
March 11, 2023
0
Plex RCE responsible-for lastpass breach

CISA, the cybersecurity and infrastructure agency, has included a severe remote code execution (RCE) vulnerability in the Plex Media Server, which is nearly three years old, in its...

Read more

New TPM 2.0 exploit attackers to access or overwrite sensitive data

by Paul Anderson
March 5, 2023
0
New TPM 2.0 Exploit

Two buffer overflow vulnerabilities have been discovered in the Trusted Platform Module (TPM) 2.0 specification, which could give cybercriminals unauthorized access to or the ability to overwrite sensitive...

Read more

Google reports a rise in ransomware attacks

by Paul Anderson
July 15, 2022
0
Google reports a rise in ransomware attacks

In the 3rd issue of the recently released, Threat Horizons, Google's Cybersecurity Action Team (GCAT) provides organizations with information about emerging risks and actionable mitigation. Bad actors have...

Read more

Cross-Site Scripting (XSS) attack method steals your browser’s auto-fill credentials

by Christi Rogalski
July 11, 2022 - Updated on February 23, 2023
0
Cross-Site Scripting (XSS) attack method steals your browser’s auto-fill credentials

Cross-site scripting, also known as XSS, attacks rank high on lists of common cybersecurity risks. It is the injection of malicious code into the web application to exploit...

Read more

Citrix exploit CWE-284 allows hackers to reset admin password

by Christi Rogalski
July 8, 2022
0
Citrix CWE-284 CVE-2022-27511 exploit

A critical bug has been identified in the Citrix Application Delivery Management console (ADM) that, if exploited, could lead to a serious security breach including allowing the attackers...

Read more
Next Post
Microsoft’s Violation to catch Windows 8 Source Leaker

Microsoft's Violation to catch Windows 8 Source Leaker

Related News

NSA intercepting U.S. Routers

NSA intercepting U.S. Routers

June 6, 2014 - Updated on March 17, 2023
Netwire RAT seized by FBI and other worldwide police agencies

Netwire RAT seized by FBI and other worldwide police agencies

March 16, 2023
The Emotet botnet returns and is sending a slew of malicious emails

The Emotet botnet returns and is sending a slew of malicious emails

March 14, 2023
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.