We’ve recently become aware of a new exploit in the wild targeting a 0-day vulnerability in Adobe Flash Player.  This exploit differs from the typical Flash Player attacks we’ve seen where a victim is lured into browsing to a website hosting malicious Flash content.  Instead, these attacks involve a malicious Flash .swf file that is embedded into a Microsoft Excel document and then sent to a victim via email.  If the victim opens the Excel document, Flash is loaded inside the Excel process and the embedded malicious .swf file exploits Flash.  For a detailed analysis, please take a look at the Microsoft Malware Protection Center blog.  In this post we will cover some details on how you can stay safe from the current attacks.

 

First, customers using Microsoft Office 2010 are not susceptible to the current attacks.  The current attacks do not bypass the Data Execution Prevention security mitigation (DEP).  Microsoft Office 2010 turns DEP on for the core Office applications, and this will also protect Flash Player when it is loaded inside an Office application.  In addition to that, users of the 64 bit edition of Microsoft Office 2010 have even less exposure to the current attacks as the shellcode for all the exploits we’ve seen will only work on a 32 bit process.  What’s more, if an Office document originates from a known unsafe location such as email or the internet, Office 2010 will activate the Protected View feature.

 

 

Protected View uses a sandbox that greatly limits the ability of an application to interact with other processes and the system.  Flash content embedded in an Office document originating from an unsafe location runs inside Protected View.  For more information about this feature of Office 2010, please refer to “What is Protected View?”.

 

For users who want additional protections as well as users of Microsoft Office prior to 2010, the Enhanced Mitigation Experience Toolkit (EMET) can help.  Turning on EMET for the core Office applications will enable a number of security protections called security mitigations.  The exploits we’ve seen so far are broken by three of these mitigations: DEP, Export Address Table Access filtering (EAF), and HeapSpray pre-allocation.  EMET is of value even to Microsoft Office 2010 as it has the first of the three enabled by default, but does not have the second or third ones.

 

To be protected by EMET, there are a few steps you need to follow.  You first need to download the tool, install it, and then finally configure it to protect an application.  It’s a good idea to configure EMET to protect not just Excel, but all of the Office applications as even though the attacks we’ve seen only target Excel, Flash Player can also be hosted in other Office applications as well.  Configuring EMET for the Office applications is done through the following steps:

  1. Launch the EMET application from the start menu
  2. Click on the “Configure Apps” button
  3. Click the “Add” button
  4. Navigate to where you have Microsoft Office installed and select one of the core office apps.  For example this might be C:\Program Files (x86)\Microsoft Office\Office12\excel.exe.
  5. Select “Open”
  6. Repeat steps 4 through 5 for the other core office applications
  7. Select “Ok”
  8. Restart any of the Office applications that are currently running

 

Since Flash Player can also be hosted in a web browser, you may wish to turn on EMET for the browser you use.  This can be done by adding the browser executable to the list of protected applications per the above steps.  In general it is a good idea to utilize a browser that opts into DEP by default such as Internet Explorer 8 and 9 (as well as several third party browsers).

 

Beyond EMET, there is a workaround that Office 2007 users can use to prevent the Flash Player (as well as other ActiveX controls) from loading inside an Office application.  This is done by changing the ActiveX setting in the Trusted Center to “Disable all controls without notification” as is shown in the screenshot below.

 

 

The ActiveX setting in the Trust Center can also be set via group policy or registry.   For more information, please refer to “Security policies and settings in the 2007 Office system”.   As a final note, please be aware that the setting has the potential to break add-ons for Microsoft Office.  It is a good idea to test any add-ons you use before making this change too widely.

 

- Andrew Roths and Chengyun Chu.