Recently we become aware of a vulnerability of a Microsoft graphics component that is actively exploited in targeted attacks using crafted Word documents sent by email. Today we are releasing Security Advisory 2896666 which includes a proactive Fix it workaround for blocking this attack while we are working on the final update. In this blog, we’ll share details of the vulnerability and the Fix It workaround and provide mitigations and suggestions to layer protections against the attack.

 

The exploit

The attacks observed are very limited and carefully carried out against selected computers, largely in the Middle East and South Asia. The exploit needs some user interaction since it arrives disguised as an email that entices potential victims to open a specially crafted Word attachment. This attachment will attempt to exploit the vulnerability by using a malformed graphics image embedded in the document itself.

In order to achieve code execution, the exploit combines multiple techniques to bypass DEP and ASLR protections. Specifically, the exploit code performs a large memory heap-spray using ActiveX controls (instead of the usual scripting) and uses hardcoded ROP gadgets to allocate executable pages. This also means the exploit will fail on machines hardened to block ActiveX controls embedded in Office documents (e.g. Protected View mode used by Office 2010) or on computers equipped with a different version of the module used to build the static ROP gadgets.

 

 

 Heap-Spray of memory

 

 

 Initial ROP gadgets

 

Affected software

Our initial investigations show that the vulnerability will not affect Office 2013 but will affect older versions such as Office 2003 and 2007. Due to the way Office 2010 uses the vulnerable graphic library, it is only affected only when running on older platforms such as Windows XP or Windows Server 2003, but it is not affected when running on newer Windows families (7, 8 and 8.1). This is another example that demonstrates the benefits of running recent versions of software in terms of security improvements (consider also that Windows XP support will end in April 2014). For more information and for the complete list of affected software, please refer to Security Advisory 2896666.

 

 Office 2003

 Affected

 Office 2007

 Affected

 Office 2010

 Affected only on Windows XP/Windows Server2003

 Office 2013

 Not affected

 

 

Fix it workaround

We created a temporary Fix it workaround that can block this attack. This temporary workaround doesn’t address the root cause of the vulnerability but simply changes the configuration of the computer to block rendering of the vulnerable graphic format that can trigger the bug. The change made by the Fix it consists in adding the following key to the local registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Gdiplus\DisableTIFFCodec = 1

We advise customers to evaluate usage of TIFF images in their environment before applying this workaround.

 

Other layers of defense

Users who are not able to deploy the Fix it workaround can still take some important steps to raise the bar for attackers and protect themselves.

  • Install EMET (the Enhanced Mitigation Experience Toolkit)

Our tests shows that EMET is able to mitigate this exploit in advance when any of the following mitigations are enabled for Office binaries:

    1. multiple ROP mitigations (StackPointer, Caller, SimExec, MemProt) available in EMET 4.0;
    2. other mitigations (MandatoryASLR, EAF, HeapSpray ) included in EMET 3.0 and 4.0;

 

 

 

  • Use Protected View and block ActiveX controls in Office documents

Even if the vulnerability relies in a graphic library, attackers deeply rely on other components to bypass DEP/ASLR and execute code, so users can still makes exploitation more difficult and unreliable by using Protected View to open attachments (default for Office 2010) or simply by blocking the execution of ActiveX controls embedded in Office documents. These general recommendations for Office hardening and better protection against attacks have been already suggested in the past in the following blogs which include examples and more details:

http://blogs.technet.com/b/srd/archive/2012/04/10/ms12-027-enhanced-protections-regarding-activex-controls-in-microsoft-office-documents.aspx

http://blogs.technet.com/b/mmpc/archive/2012/08/31/a-technical-analysis-on-cve-2012-1535-adobe-flash-player-vulnerability-part-2.aspx

 

Finally, we are working with our MAPP partners to provide information that will help to detect samples related to this attack and improve overall coverage of antimalware and security products.

We’d like to thank Haifei Li of McAfee Labs IPS Team for reporting this vulnerability in a coordinated manner and for collaborating with us.

 

- Elia Florio, MSRC Engineering