Microsoft has released patch for an Office vulnerability that is currently being exploited in the wild.  The following is our action report for clients utilizing Microsoft Office.

Summary

CVE-2017-0119 is a critical vulnerability in Microsoft Office’s handling of rich text documents (RTF). This vulnerability allows attackers to execute malicious code once a specially crafted document is opened (without further user interaction).

Vulnerability Description

CVE-2017-0199 allows malicious Microsoft Word and WordPad documents to execute arbitrary code without user interaction. Unlike other Microsoft Office infection vectors, this vulnerability does not require that users allow Macros or interact with malicious documents once they are opened. This means that current protections such as automatically disabling external macros are not affective.

This vulnerability is being actively exploited by various threat actors to infect machines with commodity malware. It is also likely that advanced threat actors are leveraging this vulnerability to gain a foothold in target networks.

The Kudelski Intelligence services team has identified in large increase is spam and phishing emails which attempt to exploit this vulnerability in order to infect users with the Dridex botnet.

In the current “Malspam” campaign a threat actor emails a Microsoft Word document to a targeted user with an embedded OLE2 embedded link object. The victim unknowingly opens the malicious RTF file resulting in arbitrary code execution which in turn downloads multiple malware payloads, ultimately leading to system compromise.

Impacted Versions

All versions of Microsoft Office are affected by this vulnerability.

Recommended Actions

Microsoft released a patch for CVE-2017-0199 on April 11^th, 2017. Kudelski Security recommends that all clients immediately deploy this patch to all endpoints that have Microsoft office installed.

Clients should continue advising end users to not open e-mail attachment from unknown senders and to report suspicious emails to IT.

Additionally, while not effective against this specific attack vector, Kudelski Security highly recommends that clients deploy the external macro blocking measures that Microsoft has developed to protect Microsoft Office users available here:

https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/

The Cyber Fusion Center will remain vigilant and update managed security devices to detect these threats as soon as signatures become available from vendors.

Sources

https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day

https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/

https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html