Microsoft Office as a Business Tool, Infection Vector, and Petri Dish
When I look back on it now, MicrosoftOffice is a veritable Petri dish of threat evolution. From attackerslearning how to use intended functionality for malicious purposes,through to exploiting vulnerabilities in the applications themselves,an increased understanding and familiarity with the technology can beseen.
Let me explain. Once upon a time there were macroviruses in Microsoft Office documents that caused havoc. These viruseswere easy to mitigate because Microsoft simply updated Office to promptthe user for further action when opening a document with unsignedmacros. Alternatively, if Office was configured correctly by the user,only signed macros in trusted locations could be executed.
Fast forward four years or so, and we see that Microsoft Office isbeing used a semi-trusted vehicle to exploit buffer overflows in theentire Office suite. Most businesses rely on the transfer of Word,Excel, PowerPoint, Access, Project, or Visio files to exchangeinformation. Therefore, the businesses can’t very well block these fileformats at the gateway as they have done with traditionalexecutable-based threats. As a result, threats that have leveragedthese vulnerabilities have a good chance of bypassing the edge securityand getting into the desktop environment. Unlike macro viruses, bufferoverflows and similar vulnerabilities can be difficult to exploit(reliably) but are still being utilized in targeted attacks.
Today we have a world where vulnerabilities are actively exploitedand we can assume Microsoft are going make strong attempts to mitigatethem in their Office 12 release. To my surprise, a researcher by thename of Debasis Mohanty has posted details on Full Disclosureon how to utilize the fact that ActiveX controls that are marked “safe”for scripting (those that are used in web pages) can be embedded inMicrosoft Office documents. In my opinion this feature was little knownand not that commonly discussed, until now. The gem here is thatdepending on how the ActiveX control is written, it may support startupon load. This is to say that when a user opens a vulnerable documentand the ActiveX control is loaded, the ActiveX control will spring intolife without any prompting.
Debasis has realized this vulnerability could be used for maliciouspurposes. For example, a Macromedia Flash control exists that supportsevents that can be used to request arbitrary URLs on the Internet, andthus execute Java script. Although these events do not provide anyelevated privileges, they demonstrate another method of executingActiveX controls and the potential interaction with external hostswithout user acknowledgment.
The result is a proof of concept on how to obtain reliable arbitraryjava script execution on victims’ computers without any prompting. Thisdemonstrates to me that even the most esoteric functionality can haveunintended consequences when it is moved across trust boundaries.