July 6, 2016 By Douglas Bonderud 2 min read

Microsoft Office is huge. As noted by Windows Central, there are more than 1.2 billion users worldwide leveraging some version of Office. While big numbers are good for Microsoft and generally positive for consumers, there’s another group enjoying the benefit: attackers.

Not only are they targeting new deployments of Office 365, but according to SecurityWeek, these cybercriminals are also leveraging old Microsoft vulnerabilities to gain arbitrary code access and wreak havoc. Here’s a look at what’s being called “the bug that just won’t die.”

One Step Forward…

The recent Office issues call to mind a quote from fictional manager Michael Scott of television show “The Office”: “I have flaws, what are they? Oh, I don’t know, I sing in the shower, sometimes I spend too much time volunteering, occasionally I’ll hit someone with my car.” Microsoft’s offering is similar: Many of its flaws — remember the helpful paper clip? — are better categorized as minor annoyances, but occasionally a problem emerges that’s just too big to ignore.

That’s the case with CVE-2012-0158, which, according to Sophos, was the most popular exploit vector in Q4 2015. The year marker tells the tale: This issue was detected and fixed over four years ago, yet almost 40 percent of computers worldwide are still susceptible.

Here’s how it works: Attackers convince users to open files on a malicious website or via an email attachment. Since these files are often .doc or .xml format, it’s no stretch for employees to assume they’re legitimate. Once cybercriminals infect a device, they can execute arbitrary code, effectively turning Office programs into stealthy malware droppers.

The malware is also adaptive. Attackers first used Microsoft Excel worksheet encryption and then RTF embedding to obfuscate their activities and dupe antivirus products. Ultimately, the combination of trusted file formats, vulnerable software versions, high-level program control and antivirus adaptation have conspired to keep this old-timer in the office long after it should have retired.

…And Two Steps Back for Microsoft Vulnerabilities

While old Microsoft vulnerabilities are still causing havoc, the software giant is also dealing with newly discovered flaws in previous Office iterations. As noted by Microsoft TechNet, for example, a new fix for CVE-2016-0025 — which affects Office versions from 2016 back to 2006 — addresses the same type of remote code execution issue as CVE-2012-0158.

Even the company’s new cloud-based offering Office 365 isn’t immune. SC Magazine reported that, on June 22, millions of Office 365 users were sent phishing emails that contained Cerber ransomware. Once infected, users were informed via audio files that they had been infected and had to pay 1.4 bitcoins (around $500) to regain file access.

Despite a rapidly increasing attack surface, things are looking up for Office. New holes are being patched, Microsoft said it blocked the 365 attack within hours of detection, and even CVE-2012-0158 exploits have been forced to shift from spam campaigns to targeted attacks as security teams crack down.

Still, it’s worth noting that just as old versions of Office provide substantial functionality for users long after new iterations are released, that same longevity helps prop up previous attacks.

More from

CISA hit by hackers, key systems taken offline

3 min read - The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked.“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced.In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a widely deployed…

Cloud security evolution: Years of progress and challenges

7 min read - Over a decade since its advent, cloud computing continues to enable organizational agility through scalability, efficiency and resilience. As clients shift from early experiments to strategic workloads, persistent security gaps demand urgent attention even as providers expand infrastructure safeguards.The prevalence of cloud-native services has grown exponentially over the past decade, with cloud providers consistently introducing a multitude of new services at an impressive pace. Now, the contemporary cloud environment is not only larger but also more diverse. Unfortunately, that size…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today