July 6, 2016 By Douglas Bonderud 2 min read

Microsoft Office is huge. As noted by Windows Central, there are more than 1.2 billion users worldwide leveraging some version of Office. While big numbers are good for Microsoft and generally positive for consumers, there’s another group enjoying the benefit: attackers.

Not only are they targeting new deployments of Office 365, but according to SecurityWeek, these cybercriminals are also leveraging old Microsoft vulnerabilities to gain arbitrary code access and wreak havoc. Here’s a look at what’s being called “the bug that just won’t die.”

One Step Forward…

The recent Office issues call to mind a quote from fictional manager Michael Scott of television show “The Office”: “I have flaws, what are they? Oh, I don’t know, I sing in the shower, sometimes I spend too much time volunteering, occasionally I’ll hit someone with my car.” Microsoft’s offering is similar: Many of its flaws — remember the helpful paper clip? — are better categorized as minor annoyances, but occasionally a problem emerges that’s just too big to ignore.

That’s the case with CVE-2012-0158, which, according to Sophos, was the most popular exploit vector in Q4 2015. The year marker tells the tale: This issue was detected and fixed over four years ago, yet almost 40 percent of computers worldwide are still susceptible.

Here’s how it works: Attackers convince users to open files on a malicious website or via an email attachment. Since these files are often .doc or .xml format, it’s no stretch for employees to assume they’re legitimate. Once cybercriminals infect a device, they can execute arbitrary code, effectively turning Office programs into stealthy malware droppers.

The malware is also adaptive. Attackers first used Microsoft Excel worksheet encryption and then RTF embedding to obfuscate their activities and dupe antivirus products. Ultimately, the combination of trusted file formats, vulnerable software versions, high-level program control and antivirus adaptation have conspired to keep this old-timer in the office long after it should have retired.

…And Two Steps Back for Microsoft Vulnerabilities

While old Microsoft vulnerabilities are still causing havoc, the software giant is also dealing with newly discovered flaws in previous Office iterations. As noted by Microsoft TechNet, for example, a new fix for CVE-2016-0025 — which affects Office versions from 2016 back to 2006 — addresses the same type of remote code execution issue as CVE-2012-0158.

Even the company’s new cloud-based offering Office 365 isn’t immune. SC Magazine reported that, on June 22, millions of Office 365 users were sent phishing emails that contained Cerber ransomware. Once infected, users were informed via audio files that they had been infected and had to pay 1.4 bitcoins (around $500) to regain file access.

Despite a rapidly increasing attack surface, things are looking up for Office. New holes are being patched, Microsoft said it blocked the 365 attack within hours of detection, and even CVE-2012-0158 exploits have been forced to shift from spam campaigns to targeted attacks as security teams crack down.

Still, it’s worth noting that just as old versions of Office provide substantial functionality for users long after new iterations are released, that same longevity helps prop up previous attacks.

More from

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Testing the limits of generative AI: How red teaming exposes vulnerabilities in AI models

4 min read - With generative artificial intelligence (gen AI) on the frontlines of information security, red teams play an essential role in identifying vulnerabilities that others can overlook.With the average cost of a data breach reaching an all-time high of $4.88 million in 2024, businesses need to know exactly where their vulnerabilities lie. Given the remarkable pace at which they’re adopting gen AI, there’s a good chance that some of those vulnerabilities lie in AI models themselves — or the data used to…

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today