At the end of last month McAfee's Advanced Exploit Detection System found a suspicious sample, and the company's subsequent investigation confirmed the sample as a new zero-day attack targeting Microsoft Office. Since the sample was in the wild, actively being used, McAfee immediately shared the information with Microsoft. Within a week, Microsoft has released a security advisory and emergency Fix it (available here).
Fix its are temporary solutions that can be used to protect against specific threats before a formal patch is released. That patch could be delivered in December's Patch Tuesday updates, or via "an out-of-cycle security update, depending on customer needs," says Microsoft. Users who may consider themselves vulnerable, however, should install the Fix it as soon as possible.
The vulnerability exists in the way Tiff images are handled by the operating system. "An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content." One mitigating factor is that it requires user interaction to actually click the malformed graphic – however, attackers are very successful at tricking victims to do just that.
In the current attack, largely aimed at Far East and Asian targets, the malformed image is embedded in a legitimate Office document. This is used to both socially engineer the victim into clicking the graphic, and disguise the process of infection.
The vulnerability only exists on older versions of Windows – those running Office 2003 or 2007 on XP and Server 2003. Tyler Reguly, Tripwire's technical manager of security research and development, suggests that Microsoft should be more aggressive in ensuring that old software is no longer used. "If you removed that software," he suggests, "this 0-day would not exist. If it's older than 5 years old, it's probably time to end support.”
His colleague, security researcher Craig Young, fears that the Fix it may not be suitable for everyone. "Tiff is a popular format and a lot of people may not be able to accomplish their daily work if their computer won't render graphics properly. Web developers, graphic designers, and those in marketing are just a few examples of people that may be greatly hindered by applying the Fix it." He is concerned that "enterprises that work heavily with graphics may have a difficult time justifying the deployment of this fix."
More technical details on the attack have been provided in a new McAfee blog. "The fake document (dropped to C:\Documents and Settings\<username>\Shanti.doc) is popped to the victim right after the success of the exploitation, this is a common post-exploitation trick which tries to prevent victims from being aware of this attack," it notes.
It also points out that the vulnerability is effected by heap-spraying via ActiveX, which is a new development. Similar earlier attacks "usually chose Flash Player to spray memory in Office." McAfee believes that the attackers adapted their methods following Adobe's introduction of its click-to-play feature in Flash a few months ago. "This is another proof," notes McAfee, "that attacking technique always tries to evolve when old ones don’t work anymore."