July 6, 2016 By Douglas Bonderud 2 min read

Microsoft Office is huge. As noted by Windows Central, there are more than 1.2 billion users worldwide leveraging some version of Office. While big numbers are good for Microsoft and generally positive for consumers, there’s another group enjoying the benefit: attackers.

Not only are they targeting new deployments of Office 365, but according to SecurityWeek, these cybercriminals are also leveraging old Microsoft vulnerabilities to gain arbitrary code access and wreak havoc. Here’s a look at what’s being called “the bug that just won’t die.”

One Step Forward…

The recent Office issues call to mind a quote from fictional manager Michael Scott of television show “The Office”: “I have flaws, what are they? Oh, I don’t know, I sing in the shower, sometimes I spend too much time volunteering, occasionally I’ll hit someone with my car.” Microsoft’s offering is similar: Many of its flaws — remember the helpful paper clip? — are better categorized as minor annoyances, but occasionally a problem emerges that’s just too big to ignore.

That’s the case with CVE-2012-0158, which, according to Sophos, was the most popular exploit vector in Q4 2015. The year marker tells the tale: This issue was detected and fixed over four years ago, yet almost 40 percent of computers worldwide are still susceptible.

Here’s how it works: Attackers convince users to open files on a malicious website or via an email attachment. Since these files are often .doc or .xml format, it’s no stretch for employees to assume they’re legitimate. Once cybercriminals infect a device, they can execute arbitrary code, effectively turning Office programs into stealthy malware droppers.

The malware is also adaptive. Attackers first used Microsoft Excel worksheet encryption and then RTF embedding to obfuscate their activities and dupe antivirus products. Ultimately, the combination of trusted file formats, vulnerable software versions, high-level program control and antivirus adaptation have conspired to keep this old-timer in the office long after it should have retired.

…And Two Steps Back for Microsoft Vulnerabilities

While old Microsoft vulnerabilities are still causing havoc, the software giant is also dealing with newly discovered flaws in previous Office iterations. As noted by Microsoft TechNet, for example, a new fix for CVE-2016-0025 — which affects Office versions from 2016 back to 2006 — addresses the same type of remote code execution issue as CVE-2012-0158.

Even the company’s new cloud-based offering Office 365 isn’t immune. SC Magazine reported that, on June 22, millions of Office 365 users were sent phishing emails that contained Cerber ransomware. Once infected, users were informed via audio files that they had been infected and had to pay 1.4 bitcoins (around $500) to regain file access.

Despite a rapidly increasing attack surface, things are looking up for Office. New holes are being patched, Microsoft said it blocked the 365 attack within hours of detection, and even CVE-2012-0158 exploits have been forced to shift from spam campaigns to targeted attacks as security teams crack down.

Still, it’s worth noting that just as old versions of Office provide substantial functionality for users long after new iterations are released, that same longevity helps prop up previous attacks.

More from

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

How red teaming helps safeguard the infrastructure behind AI models

4 min read - Artificial intelligence (AI) is now squarely on the frontlines of information security. However, as is often the case when the pace of technological innovation is very rapid, security often ends up being a secondary consideration. This is increasingly evident from the ad-hoc nature of many implementations, where organizations lack a clear strategy for responsible AI use.Attack surfaces aren’t just expanding due to risks and vulnerabilities in AI models themselves but also in the underlying infrastructure that supports them. Many foundation…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today