Malicious Office Documents Cause Security Woes

Exposure:

Today, Microsoft released two security bulletins describing seven vulnerabilities found in components that ship with Microsoft Office XP and 2003 for Windows, and Office 2004 for Mac. These bulletins do not affect the more current versions of Office, such as 2007 Microsoft Office System or Microsoft Office 2008 for Mac.

The vulnerabilities affect different versions of Office to varying degrees. Though the seven vulnerabilities differ technically, and affect two different Office components, they share the same scope and impact. By enticing one of your users into downloading and opening a maliciously crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

According to Microsoft’s bulletins, an attacker can exploit these flaws using many different types of Office documents. In one bulletin, Microsoft specifically states PowerPoint documents are vulnerable. However, they also mention any "Office file" in their other alert. Therefore, we recommend you beware of all unexpected Office documents.

If you’d like to learn more about each individual flaw, drill into the "Vulnerability Details" section of the security bulletins listed below:

•  MS10-003: Multiple PowerPoint Code Execution Vulnerabilities, rated Important
•  MS10-004: Microsoft Office MSO.DLL Code Execution Vulnerability, rated Important

Solution Path

Microsoft has released patches for Office to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately, or let the Microsoft Automatic Update feature do it for you.

MS10-003:

•  Office XP w/SP3
•  Office 2004 for Mac

MS10-004:

PowerPoint update for:

•  Office XP w/SP3
•  Office 2003 w/SP3
•  Office 2004 for Mac

I am seeing around a two dozen or more virus laden emails a day right now all with the same general subject lines such as:

“payment request from "Qualcomm" or “payment request from "Google"” or “Your Credit Balance is over its limit”

These all contain a backdoor Trojan in the attachment so again and again I remind everyone to not click those attachments you get in email. I like that “transaction inspector module”, they are always looking for something that will just make people click away, well DON’T!

I’ve had so many people get infected with variations of AntiVirus 2009 and each one has said they never loaded anything or “I don’t visit bad sites.” Well here is a perfect example of why what you think you did and what you actually did are not always the same when it comes to the web.

In this case I pulled up a site I think most would consider “safe”, The Christian Science Monitor. However within that page was a redirect to another server located in Germany owned by a guy in Norway. Of course the infected server I was being redirected to could easily be a legit site which has been hacked or a site setup to specifically try to distribute malware and in this case I suspect the latter as no website actually exist on that server. As to the source of the infection my bet is one of the Flash banners on the primary site was the source of the redirect and just one more reason to disable plug ins whenever possible. Instead of a hacker needing to attack Christian Science Monitor all they have to do is go after the company offering up the advertising banners or even sign up as an advertiser.

I’ve seen a number of these hitting a less than public email address so that tells me there are probably a large number being sent out. Typical grammar issues abound in the subject and body, the alert came from and was emailed to the same address and of course included something you are suppose to run. Well do run, run away that is, Delete, Delete, Delete.

QuickTime Falls Prey to Malicious Movies and Images

Severity: Medium

9 September, 2009

Summary:

§ These vulnerabilities affect: QuickTime for OS X or Windows

§ How an attacker exploits them: By enticing your user to click a malicious link or view a maliciously-crafted movie or image

§ Impact: An attacker could execute code on your user’s computer, potentially gaining control of it

§ What to do: Download and install QuickTime 7.6.4 for Windows or OS X (or use Apple’s Software Update tool)

Exposure:

Today, Apple released a security update to fix four vulnerabilities in QuickTime, their popular media player for both Windows and Macintosh OS X. The vulnerabilities differ technically, but all involve various buffer overflow or memory corruption vulnerabilities. They also share the same scope and impact. By luring one of your users into viewing a maliciously crafted movie or image file, an attacker can exploit one of the four QuickTime flaws to execute code on that user’s computer (or, less worrisome, crash QuickTime). Some of the files susceptible to this attack include MPEG-4, H.264, and FlashPix. These vulnerabilities can be exploited on Windows and OS X computers, with differing results. Attackers exploiting these flaws only gain the privilege of the logged in user. OS X separates normal users privileges from root or administrative privileges. So an attacker will not gain complete control of OS X machines with these flaws. However, most Windows users have local administrative privileges. So an attacker could potentially leverage these flaws to gain complete control of Windows machines.

Solution Path:

Apple has released QuickTime 7.6.4 to fix these security issues. Windows and OS X administrators should download, test, and deploy the appropriate update as soon as possible. By default, Apple’s download bundles iTunes with QuickTime, but because iTunes often has security issues of its own, we recommend that you select the option of downloading QuickTime alone.

For All Users:

Because QuickTime handles so many different media types (many of which are essential for doing business today), trying to block exploitable file types using your firewall may not be the best way to support your organization’s mission. Instead, your best solution is to download and install Apple’s fixes.

Status:

Apple has released updates to fix these issues.

References:

§ Apple’s September QuickTime advisory

This alert was researched and written by Corey Nachreiner, CISSP.

Today, Microsoft released a security advisory warning of a serious unpatched DirectX vulnerability, which attackers have already begun exploiting on the Internet. The vulnerability affects DirectX 9.0 (and earlier versions) running on Windows 2000, XP and Server 2003 computers. It does not seem to affect DirectX 10 running on Windows Vista or Server 2008 computers.

Today, Microsoft released a security advisory warning of a very serious unpatched Excel vulnerability, which attackers have already begun exploiting on the Internet. The vulnerability affects all current versions of Excel for Windows and Mac, as well as the Microsoft Excel Viewer and the Office Compatibility Packs.