Word zero-day affects all versions of Office and Windows
Somebody at McAfee jumped the gun. Last Friday night McAfee disclosed the inner workings of a particularly pernicious rigged Word document attack — a zero-day involving a linked HTA file. On Saturday FireEye — citing a “recent public disclosure by another company” — gave more details, and revealed that it had been working on the problem with Microsoft for several weeks.
It looks like McAfee’s public disclosure forced FireEye’s hand prior to Microsoft’s anticipated fix tomorrow.
The exploit appears in a Word doc attached to an email message. When you open the doc (an RTF file with a .doc name extension), it has an embedded link that retrieves an HTA file. (An HTML application is usually wrapped around a VBScript or JScript program.)
Apparently all of that happens automatically, although the HTA file is retrieved via HTTP, so I don’t know if Internet Explorer is a key part of the exploit. (Thanks satrow and JNP on AskWoody.)
The downloaded file puts a decoy that looks like a document up on the screen, so users thinks they’re looking at a doc. It then stops the Word program to hide a warning that would normally appear because of the link. Very clever.
At that point the downloaded HTA program can run whatever it wants “in the context of the local user.” According to McAfee, the exploit works on all versions of Windows, including Windows 10. It works on all versions of Office, including Office 2016.
McAfee has two recommendations:
- Do not open any Office files obtained from untrusted locations.
- According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.
Long-time security guru Vess Bontchev says a fix is coming in tomorrow’s Patch Tuesday bundle.
When researchers uncover a zero-day of this magnitude — completely automatic and unprotected — it’s common for them to report the problem to the software manufacturer (in this case, Microsoft) and wait long enough for the vulnerability to be fixed before disclosing it publicly. Companies like FireEye spend millions of dollars to ensure their customers are protected before the zero-day is disclosed or patched, so it has an incentive to keep the lid on newly discovered zero-days for a reasonable amount of time.
There’s a raging debate in the anti-malware community about “responsible disclosure.” Marc Laliberte at DarkReading has a good overview:
Security researchers haven’t reached a consensus on exactly what “a reasonable amount of time” means to allow a vendor to fix a vulnerability before full public disclosure. Google recommends 60 days for a fix or public disclosure of critical security vulnerabilities, and an even shorter seven days for critical vulnerabilities under active exploitation. HackerOne, a platform for vulnerability and bug bounty programs, defaults to a 30-day disclosure period, which can be extended to 180 days as a last resort. Other security researchers, such as myself, opt for 60 days with the possibility of extensions if a good-faith effort is being made to patch the issue.
The timing of these posts brings into question the motives of the posters. McAfee acknowledges, up front, that its information was just one day old:
Yesterday, we observed suspicious activities from some samples. After quick but in-depth research, this morning we have confirmed these samples are exploiting a vulnerability in Microsoft Windows and Office that is not yet patched.
Responsible disclosure works both ways; there are solid arguments for shorter delays and for longer delays. But I don’t know of any malware research company that would assert that immediate disclosure, prior to notifying the vendor, is a valid approach.
Obviously, FireEye’s protection has covered this vulnerability for weeks. Just as obviously, McAfee’s for-fee service hasn’t. Sometimes it’s hard to tell who’s wearing a white hat.
Discussion continues on the AskWoody Lounge.