Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Cyber Security Services

Emerging Threat: Microsoft Word Zero Day (CVE-2014-1761) Remote Code Execution Vulnerability

Created: 27 Mar 2014 • Updated: 28 Mar 2014 • 2 comments
MSS Global Threat Response's picture
+1 1 Vote
Login to vote

EXECUTIVE SUMMARY:

On March 24th, Microsoft posted a security advisory (2953095) for a newly discovered, unpatched vulnerability affecting Microsoft Word.  Microsoft has noticed limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer.  CVE-2014-1761  has been assigned for this vulnerability.

Please be aware that Word is the default viewer for Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013, and that even looking at the e-mail in the preview pane could lead to an infection through this attack.

THREAT DETAILS:

This vulnerability allows the attacker to gain the same privileges on a target machine as the victim, ultimately allowing remote code execution. The threat drops a backdoor to allow the attacker access to the victim machine. 

At this time, it appears the attack is targeted, and the impact is low. We do not have any further information on the countries/regions that are impacted at this time.

According to Microsoft, this exploit fails (resulting in a crash) on machines running Word 2013.

Microsoft also mentions that the malicious document in the wild is designed to trigger a memory corruption vulnerability in the RTF parsing code. The attacker embedded a secondary component in order to bypass ASLR, and leveraged return-oriented-programming techniques using native RTF encoding schemes to craft ROP gadgets.

Please be aware that Word is the default viewer for Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013, and that even looking at the e-mail in the preview pane could lead to an infection through this attack.

IMPACT:

  • An attacker who successfully exploited this vulnerability could gain the same rights as the currently logged on user.
  • Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative privileges.

AFFECTED SOFTWARE:

  • Microsoft Word 2003 Service Pack 3
  • Microsoft Word 2007 Service Pack 3
  • Microsoft Word 2010 Service Pack 1 (32-bit editions)
  • Microsoft Word 2010 Service Pack 2 (32-bit editions)
  • Microsoft Word 2010 Service Pack 1 (64-bit editions)
  • Microsoft Word 2010 Service Pack 2 (64-bit editions)
  • Microsoft Word 2013 (32-bit editions)
  • Microsoft Word 2013 (64-bit editions)
  • Microsoft Word 2013 RT
  • Microsoft Word Viewer
  • Microsoft Office Compatibility Pack Service Pack 3
  • Microsoft Office for Mac 2011
  • Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 1
  • Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 2
  • Word Automation Services on Microsoft SharePoint Server 2013
  • Microsoft Office Web Apps 2010 Service Pack 1
  • Microsoft Office Web Apps 2010 Service Pack 2
  • Microsoft Office Web Apps Server 2013

MICROSOFT WORKAROUNDS:

SYMANTEC MSS SOC DETECTION CAPABILITIES:

MSS SOC Analytics Detection

  • Hot IP Signatures
    • Hot IP - MS word (CVE-2014-1761) zero day C&C traffic

Vendor Detection

  • Symantec SEP/AV
    • Bloodhound.Exploit.550
  • Snort/SourceFire

This list represents a snapshot of current detection.  Symantec MSS stands ready to provide security monitoring once additional vendors or additional detection is identified and enabled on your monitored devices.  As threats evolve, detection for those threats can and will evolve as well.

MITIGATION STRATEGIES:

  • Apply the workaround until patches are made available by the vendor.
  • Apply the updates from Microsoft as soon as they become available.
  • Symantec recommends customers use a layered approach to securing their environment, utilizing the latest Symantec technologies, including enterprise-wide security monitoring from Edge to Endpoint.
  • Do not use out of date software, keep your operating system and software up to date with the latest versions and security patches.
  • Run all software as a non-privileged user with minimal access rights.
  • To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.
  • Deploy network intrusion detection systems to monitor network traffic for malicious activity. 
  • Do not follow links or open email attachments provided by unknown or untrusted sources. 
  • Memory-protection schemes (such as non-executable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.
  • Symantec encourages users to apply all relevant patches when they are available.

REFERENCES:

Comments 2 CommentsJump to latest comment

Milan_T's picture

Thanks for sharing such valuable information.

As we know from today microsoft has declared end life and support for windows xp. how can we prevent our organization from potential bugs and vulnerability using endpoint protection, firewall and IPS. Any idea please share accordingly.

0
Login to vote
.Brian's picture

I would look into the system lockdown feature within SEP

Configuring system lockdown

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote