Microsoft active zero-day attacks target South Pacific

Microsoft has warned its customers of attackers exploiting zero-day vulnerabilities in its Office suite of products, and released a tool to help users defend themselves.

Attackers are sending crafted phishing emails to users in South Asia and Middle East with malicious Word attachments that contain the zero-day exploit.

The attacks used a string of techniques that targeted the way graphics were processed by Office versions 2003 and 2007, and on version 2010 when run on Windows XP or Server 2003.

The techniques allowed the attacks to bypass defensive mechanisms data execution prevention and address space layout randomisation.

"Specifically, the exploit code performs a large memory heap-spray using ActiveX controls -- instead of the usual scripting -- and uses hardcoded ROP (return-oriented programming) gadgets to allocate executable pages," Microsoft Secure Windows Initiative staffer 'swait' wrote in a blog.

"This also means the exploit will fail on machines hardened to block ActiveX controls embedded in Office documents -- such as Protected View mode used by Office 2010 -- or on computers equipped with a different version of the module used to build the static ROP gadgets."

Microsoft released a temporary 'Fix it' workaround that could block the attack by blocking rendering of the vulnerable TIFF graphic format by way of a registry key.

A formal patch would be released later.

Using Office Protected View, blocking Active X controls and deploying Microsoft's Enhanced Mitigation Experience Toolkit (EMET) could help reduce or eliminate the attack vector.

McAfee Labs senior security researcher Haifei Li (@HaifeiLi) reported the vulnerability to Microsoft.

Copyright © SC Magazine, Australia