Microsoft active zero-day attacks target South Pacific

By

Workaround blocks TIFF graphic format.

Microsoft has warned its customers of attackers exploiting zero-day vulnerabilities in its Office suite of products, and released a tool to help users defend themselves.

Microsoft active zero-day attacks target South Pacific

Attackers are sending crafted phishing emails to users in South Asia and Middle East with malicious Word attachments that contain the zero-day exploit.

The attacks used a string of techniques that targeted the way graphics were processed by Office versions 2003 and 2007, and on version 2010 when run on Windows XP or Server 2003.

The techniques allowed the attacks to bypass defensive mechanisms data execution prevention and address space layout randomisation.

"Specifically, the exploit code performs a large memory heap-spray using ActiveX controls -- instead of the usual scripting -- and uses hardcoded ROP (return-oriented programming) gadgets to allocate executable pages," Microsoft Secure Windows Initiative staffer 'swait' wrote in a blog.

"This also means the exploit will fail on machines hardened to block ActiveX controls embedded in Office documents -- such as Protected View mode used by Office 2010 -- or on computers equipped with a different version of the module used to build the static ROP gadgets."

Microsoft released a temporary 'Fix it' workaround that could block the attack by blocking rendering of the vulnerable TIFF graphic format by way of a registry key.

A formal patch would be released later.

Using Office Protected View, blocking Active X controls and deploying Microsoft's Enhanced Mitigation Experience Toolkit (EMET) could help reduce or eliminate the attack vector.

McAfee Labs senior security researcher Haifei Li (@HaifeiLi) reported the vulnerability to Microsoft.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"

Qantas contacted by "potential cyber criminal"

Qantas contacted by "potential cyber criminal"

SA Power Networks tackles IAM, cloud security under five-year strategy

SA Power Networks tackles IAM, cloud security under five-year strategy

Log In

  |  Forgot your password?