24 March 2014
Microsoft Office — previously believed to be a relatively safe and protected system — was hit with a zero-day exploit in early November 2013. This was the first discovered zero-day exploit in the .docx format. McAfee Labs detected the exploit, and found that early strains of the attack were targeting sensitive information from high-profile groups in the Middle East and Asia. Microsoft released a patch in December to fix vulnerability CVE-2013-3906, but not before the zero-day attack attempted to extract specific files — in .pdf, .txt, .doc, .ppt, and .xls form — from the victims’ environments.
This type of zero-day attack was executed in a never-before-witnessed fashion, which made it more peculiar than other zero-day breaches. The exploits targeted the Word Open XML format (.docx) and an ActiveX control to spray heap memory in Office — a trick usually performed by corrupting Flash Player instead of ActiveX. The change is a sign that cybercriminals are always trying to remain one step ahead of security techniques.
When McAfee Labs discovered this threat in November 2013, they collaborated with other researchers and together the groups identified more than 60 individual strains of the zero-day exploit. Additionally, 500 unique examples of malware reliant on this exploit were documented, and we found that some Citadel Trojan strains were deployed through this attack. The first sample of the zero-day attack on the .docx format dates back to July 2013.
The Open XML exploit came as such a shock because .docx files were previously believed to be quite safe. Ultimately, the lack of surveillance and sandboxing led to exposed vulnerabilities that were taken advantage of by attackers. The method of heap spraying without scripting also kept the attack hidden for longer, since scripting actions are more likely caught by security improvements in Office 2007 and later versions. More troublesome is that this flaw is completely documented for attackers, which makes actually incorporating the exploit into new attacks much simpler. Further, data execution prevention (DEP) is not automatically enabled in Office 2007, which allows heap spray attacks of a lesser caliber to successfully carry out an attack.