back to article OLE-y hell. Bug in MSFT Word allows total PC p0wnage

All eyes will be on Microsoft's April patch run - due tomorrow - to see whether Redmond gets ahead of a nasty Word zero-day that popped up last week. The hack exploits Object Linking and Embedding and the FireEye researchers who discovered the bug were working with Microsoft, but were pre-empted by a disclosure from McAfee. …

  1. redpawn

    Security is Job One at Microsoft

    once again. Don't look up the Open Document Foundation. Don't switch to Libre Office. You will not get the same results Microsoft delivers time in and time out. Remember you get what you pay for. Pay for MS Word and you get Microsoft quality security.

    Pay for Libre Office and you made a mistake. However donations to the Open Document Foundation are nice.

    1. ammabamma
      Joke

      Re: Security is Job One at Microsoft

      > Security is Job One at Microsoft

      Job #1? Does this mean they are taking the piss? They've certainly done a bang-up job depositing number twos all over my Win10 VM...

    2. Anonymous Coward
      Anonymous Coward

      Re: Security is Job One at Microsoft

      Sure. Inferior products has also an inferior attack surface. LibreOffice is close to unusable for complex documents embedding different sources.

      Of course opening documents from unknown sources is a security risk.

      1. cynic 2
        Unhappy

        Re: Security is Job One at Microsoft

        "Of course" ? I think you're normalizing MS weirdness here. A "document" shouldn't have any executable connotations. The pain just isn't worth the gain.

      2. John Brown (no body) Silver badge
        FAIL

        Re: Security is Job One at Microsoft

        "LibreOffice is close to unusable for complex documents embedding different sources."

        It's fine at embedding. But it's not so good at loading in objects from some random server out on the internet over which you have no control, least of all an executable object. Why would anyone want a document that might be different every time you open it? Isn't that what web pages are for?

      3. Frank Bitterlich
        Stop

        Re: Security is Job One at Microsoft

        "Of course opening documents from unknown sources is a security risk."

        OK, let me ask a rhetorical question here: Why should opening a document (from whatever source, in whatever format) be a security risk? Isn't it rather that using certain applications is a security risk?

        A software vulnerability is, without exception, a software malfunction (a.k.a. bug.) By telling users to be "careful where that document comes from", "not 'open' emails from unknown sources", "not click on links to unknown sites", you're putting the blame for malfunctioning software on the user instead of the creator/publisher/vendor of the software – "we told you to be careful." But that appears to be generally accepted now.

        And if anybody wants me to rant a bit more, ask me about why software companies can shed all liability for their software with the inclusion of a single paragraph in their small print.

        1. phuzz Silver badge

          Re: Security is Job One at Microsoft

          "A software vulnerability is, without exception, a software malfunction"

          Sometimes it is, but not always. Occasionally it's a deliberately inserted back door, but more often it's a legitimate function that was intended as a useful feature being used in a way that's not intended.

    3. handleoclast
      FAIL

      Re: Security is Job One at Microsoft

      There must be something wrong with my eyesight. I keep reading "Security is Job One at Microsoft" as "You had just one job."

    4. Anonymous Coward
      Anonymous Coward

      Re: Security is Job One at Microsoft

      "Pay for Libre Office and you made a mistake"

      You probably will pay for it if you install it. For starters, full Libre Office functionality requires installing Java - which way more insecure than any Microsoft product ever... Secondly most people need a version of Office that actually works. Hence why near zero businesses use Libre Ofiice.

  2. a_yank_lurker Silver badge

    Security isn't Job 1

    Given this flaw has been around for ages one has to ask why wasn't discovered and patched earlier? It raise the question of which feral TLA was using this until the bad guys of the month started using it against them. Now that the cat is out of the bag, it has become useless to the "friendly" spookhauses thus must be patched.

    The motto for Slurp should be "Spying is Job 1 but don't ask who for".

    1. Anonymous Coward
      Anonymous Coward

      Re: Security isn't Job 1

      Why wasn't it discovered earlier?

      As this is exploit No 3065332 out of 103523342342, it has taken them that long to work through the known exploits to get here.

      The bad news is that new ones are being added faster than the old ones can be rectified.

      A bug in OLE? Wow! That is really old Skool stuff.

    2. Roland6 Silver badge

      Re: Security isn't Job 1

      >Given this flaw has been around for ages one has to ask why wasn't discovered and patched earlier?

      A very good question, just done a google "hta exploit in office 2007"

      7th result on the first page from Google got me this thread started on the 25-June-2016:

      https://webcache.googleusercontent.com/search?q=cache:zSOTrzsbdIQJ:https://www.nulled.to/topic/170245-ancalog-multi-exploit-builder-exe-to-docpdfxlschmhta-fudsilent-doc/+&cd=7&hl=en&ct=clnk&gl=uk

      Silent DOC 2007

      Features:

      -Upcoming FUD Crypter (S/R) * Not realeased yet, this is near future guys

      -Include silent doc exploit

      -Several exploits, most are sendable via GMail

      -Compatible with every rat/keylogger/worm

      -Compatible with XP - 10 32/64

      -FUD (DOC CHM)

      -Can be sent via gmail/fb (DOC XLS PDF)

      -Works with every MS Office from 2007 to 2016 (excluding Starter edition - there's no macro support)

      Sounds suspiciously similar to the .hta exploit being discussed here...

      Given how long it has been around, it might be worth doing a trawl back through the inbox/spam/junk/trash folders and conducting a careful investigation of .doc attachments with notepad/emacs/vi.

      From the little that is published on .hta and the total lack of security MS provides, I do wonder if the exploit also features in one of the toolsets for spooks that have been liberated in recent times.

  3. allthecoolshortnamesweretaken

    Where is Clippy when you actually need him...

    1. quxinot Silver badge

      >Where is Clippy when you actually need him...

      You don't actually need him.

      Ever.

  4. GidaBrasti
    Headmaster

    "...snip... and a malicious .hta file disguised as RTF (rich text format). ...snip...

    ...snip... It ten downloads additional payloads...snip..."

    Obviously MS WORD was used for this article.

  5. coconuthead

    I had to Google what application/hta and .hta were, but when I had - what moron thought it was a good idea to invent a new file extension for an executable? Image headers have been around for decades, at least back to the 1970s. Even Unix (which doesn't have hard typed file extensions) has them for executables, in the form of magic numbers and the #! which will be in every executable script. Given this is Windows-only, this should have been a .exe file with a different header.

    And then there is IANA, which registered it as application/hta. Sorry, no. MIME should be segregating executables and scripts as a major type, say executable/*. This, too, should have been obvious at the initial design but I guess they were blinded by a desire to put scripts under text/*.

    If either of these mistakes had not been made, it would be a lot easier for anything embedding an executable to be flagged or blocked. As it is, each new bad type of executable has to be blacklisted.

    1. Missing Semicolon
      Mushroom

      application/hta

      Aaagh!

      In the description, Wonkypedia says: "An HTA executes without the constraints of the internet browser security model; in fact, it executes as a "fully trusted" application."

      So, by definition, it should either not be loaded remotely at all, or should be signed.

      The fault is Microsoft Word's as it is loading untrusted content and running it in a trusted environment. If that is necessary for a feature to work, then Microsoft have deliberately subverted their own security rules to make Word look cool. Isn't that culpable?

      1. Daniel von Asmuth
        Terminator

        Re: application/hta

        Wikipedia claims there is a fix for this problem:

        https://en.wikipedia.org/wiki/HTML_Application

        You just need to uninstall Internet Explorer.That should deal with the application/HTA problem. Uninstalling MS Office might also offer some help against macro viruses.

      2. Roland6 Silver badge

        Re: application/hta

        >The fault is Microsoft Word's

        Err no, this is a fault introduced in IE5 - MS embedded a version of IE in Office, so we can expect the same exploit to effectively be available in: Excel, Powerpoint ...

        Otherwise agree, MS were plain daft in the way they implemented no security for .hta files.

    2. coconuthead

      application/hta is not a registered MIME type

      I got curious about what other undesirable application/* types might be registered, so I looked at the actual registry at iana.org. And application/hta isn't actually there! I had believed the Wikipedia article, which lists this media type. It seems it's just being used unofficially instead of the standards-compliant application/x-hta or application/vnd.ms.hta.

      So I was wrong to blame IANA for this specific registration, although I stand by my criticism of them putting executables in application/*. Indeed, they've obsoleted text/javascript in favour of application/javascript, so it's deliberate.

  6. Anonymous Coward
    Anonymous Coward

    'unlike many Word-based attacks, it doesn't ask the victim to enable macros.'

    Q: How persistent is the attack if the internet-is-off when the Word doc is opened, is it rendered null? What Word versions support 'Protected View'?

    1. Sandtitz Silver badge

      Re: 'unlike many Word-based attacks, it doesn't ask the victim to enable macros.'

      "What Word versions support 'Protected View'?"

      Protected View came with Office 2010 and is enabled by default. You can only browse then document, but editing, macros, and even printing is turned off until you click the 'Enable Editing' button.

      I presume that the attack doesn't work (or persist) offline since the doc requires an external payload to be downloaded and executed.

      The executable would also be run using the user's credentials and thus limited to the user profile and wherever the user has rights. Applocker or Software Restriction Policies could remedy against this, as well as obviously not granting admin rights to the end users.

  7. Anonymous Coward
    Anonymous Coward

    So let me get this right....

    ...Fire-eye were working on a fix with MS before going public.

    McAffe Virus, sorry Anti-virus, go public before fix.

    I know which one I respect more and have done for a very long time.

    1. nkuk

      Re: So let me get this right....

      So you would rather be kept in the dark rather than informed about an active exploit?

      1. Roland6 Silver badge

        Re: So let me get this right....

        >So you would rather be kept in the dark rather than informed about an active exploit?

        Interesting question; from the available information, it would seem that FireEye have known about the exploit for a few weeks and hence it's products have been updated to guard against it, whereas McAfee have only just discovered the exploit and hence it's products don't guard against it.

        Additionally, it would seem that FireEye had only shared information about the exploit with MS and not with others in the Internet Security industry. Thus, McAfee's action has forced FireEye into a premature and public disclosure...

        Clearly, white hats aren't immune to commercial considerations.

  8. Mage Silver badge
    Devil

    OLE

    OLE was evil from the beginning on Win 3.x.

    A file using it transferred to another PC might not have the other application(s) needed.

    It's inherently vulnerable.

    COM and DCOM are its later evil siblings.

    If you are using OLE, you are doing your documents wrong. Better to export and import a static copy from the other application, or if it has to be dynamic, then using a connection (validated and sanitised) to a database. The entire idea of OLE is stupid and facilitates lazy convenience instead of proper solutions.

    Over 20 years ago, when giving training, I explained and demo'd why to never use OLE.

  9. jonha

    Anyone who gives winword (or other such apps) free access to the wider internet almost deserves this. I fully understand that many users are just not able to work the OS (or another) firewall although, with a bit of googling and some patience, this is not too hard. People have to learn the ropes to be able to drive a car, so perhaps we should accept that learning some basic security reflexes is not a bad thing.

    1. Roland6 Silver badge

      >Anyone who gives winword (or other such apps) free access to the wider internet almost deserves this.

      A default install of MS Word on Windows gives it web access. There is no simple way (ie. option during install or tickbox in settings) for typical users to block MS Office access to the internet and/or execution of downloaded files.

  10. Peter2 Silver badge

    Blocking this attack?

    So, I'm sure I'm not the only person who's actually maintaining a network who's looking at this, and more importantly how to block it.

    "In short, HTAs pack all the power of Internet Explorer—its object model, performance, rendering power and protocol support—without enforcing the strict security model and user interface of the browser." and "an HTA runs as a fully trusted application and therefore has more privileges than a normal HTML file; for example, an HTA can create, edit and remove files and registry entries"

    An HTA is executed using the program mshta.exe

    Definitely not something that I want running on the network.

    I already have "Restrict File Download" set in the office GPO, so in *theory* then on opening the document winword shouldn't be able to download the payload in the first place so I should be safe.

    However, I don't wish to be complacent, and I do wish to be professionally paranoid (ie, doing my job...). So, on the safe side then by adding a disallowed path rule for "%SystemRoot%\system32\mshta.exe" to a software restriction policy GPO would prevent the any HTA's that make it to the endpoints from running.

    And that's absolute protection against this? Or have I missed something. Opinions from fellow professionals welcome.

    1. eswan

      Re: Blocking this attack?

      I've just dropped a squid proxy rule into place-

      acl mimeblock rep_mime_type ^application/hta$

      Might be a bit naive, but won't hurt. And I don't see

      any legitimate reason to allow them.

      1. Peter2 Silver badge

        Re: Blocking this attack?

        . . . I hadn't actually considered dropping anything with application/hta at the network level, you can tell I usually work with server/desktop! Added that just for good measure.

        Ok, so far. If emailed in then :-

        1) the anti spam system should recognise active content in the word document and drop it.

        2) If it was (somehow) delivered to the endpoint then word is blocked from downloading anything via GPO.

        3) If it (somehow) bypassed the Group Policy options for this then it'd get blocked by the firewall.

        4) If it somehow was downloaded and attempted to get executed then it'd be blocked by the Software Restriction Policy as an unauthorised extension type.

        5) If that fails, the HTA processor is blocked from running by SRP.

        6) If that fails, then I'm reliant on the AV.

        I don't think I'm going to get too much safer.

    2. Roland6 Silver badge

      Re: Blocking this attack?

      Re: Or have I missed something

      You might find this article interesting:

      https://arstechnica.co.uk/security/2017/04/booby-trapped-word-documents-in-the-wild-exploit-critical-microsoft-0day/

      " In the meantime, users can block

      code-execution exploits by adding the following to their Windows registry: Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles to 2 and OpenInProtectedView to 0."

      However, you also need to enable use of Protected View in whichever of the following your users may have installed: 2010: Office, Word, Excel, Powerpoint; 2013: Word, Excel, Powerpoint; 2016: Word, Excel, PowerPoint

      I assume there is also a similar fileblock key to the Word RTF file block for Excel and Powerpoint.

      1. Roland6 Silver badge

        Re: Blocking this attack?

        This thread gives more information about HIPS settings wrt mshta.exe on both 32 and 64 bit Windows.

        https://www.wilderssecurity.com/threads/attacks-detected-with-new-microsoft-office-zero-day.393228/

  11. Anonymous Coward
    Anonymous Coward

    MS

    Great what's the one thing that won't fecking update with MS's wonderous new W10 update system. Feckin Office. I'd switch to something else but I did actually pay for it. That'll teach me not to pirate MS crapware.

  12. Mage Silver badge

    HTA

    HTA files were partnered with maybe IDC files, I forget. Only meant for MS webservers before ASP file format. The HTA had HTML with placeholders (variables) replaced by data from SQL (queries in the paired IDC file). I think that's how it worked, but it's over 15 years ago.

    Obviously they are being misused. So there are three design flaws here:

    1) OLE inherently is a broken idea.

    2) HTA file content

    3) That ANYTHING exists and enabled today on Windows to make sense of an HTA file, however loaded.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020