More from Haifei Li

McAfee Labs

Analyzing Microsoft Office Zero-Day Exploit CVE-2017-11826: Memory Corruption Vulnerability

McAfee Labs has performed frequent analyses of Office-related threats over the years: In 2015, we presented research on the Office OLE mechanism; in 2016 at the BlueHat conference, we looked at the high-level attack surface of Office; and this year at the SYSCAN360 Seattle conference, we presented deep research on the ...

McAfee Labs

Critical Office Zero-Day Attacks Detected in the Wild

At McAfee, we have put significant efforts in hunting attacks such as advanced persistent threats and “zero days.” Yesterday, we observed suspicious activities from some samples. After quick but in-depth research, this morning we have confirmed these samples are exploiting a vulnerability in Microsoft Windows and Office that is not ...

McAfee Labs

Patch Now: Simple Office ‘Protected View’ Bypass Could Have Big Impact

Protected View is a security feature of Microsoft Office. According to research from MWR Labs, Protected View mode is a strong application-level sandbox. In a real-world attack scenario, Office documents from the Internet, such as downloaded documents from browsers (Chrome, Edge, Internet Explorer), or attachments received on emails clients (such as ...

McAfee Labs

Threat Actors Employ COM Technology in Shellcode to Evade Detection

COM (Component Object Model) is a technology in Microsoft Windows that enables software components to communicate with each other; it is one of the fundamental architectures in Windows. From the security point of view, several “features” built into COM have lead to many security vulnerabilities. These features include ActiveX (an ...

McAfee Labs

Threat Actors Use Encrypted Office Binary Format to Evade Detection

This blog post was written in conjunction with Xiaoning Li. Microsoft Office documents play an important role in our work and personal lives. In the last couple years, unfortunately, we have seen a number of exploits, especially some critical zero-day attacks, delivered as Office documents. Here are a couple of ...

McAfee Labs

An Advance You Won’t Want to Miss: McAfee Adds Flash Exploit Detection to NSP 8.2

Adobe Flash vulnerabilities and exploits have worried users and security professionals for many years. The situation today remains serious. A quick search of the National Vulnerability Database shows 277 vulnerabilities reported in Flash Player since 2011. For Flash zero-day attacks (which means that there was no patch from Adobe when ...

McAfee Labs

Bypassing Microsoft’s Patch for the Sandworm Zero Day

This is the second part of our analysis of the Sandworm OLE zero-day vulnerability and the MS14-060 patch bypass. Check out the first part here. Microsoft’s Patch From our previous analysis we’ve learned that the core of this threat is its ability to effectively right-click a file. Now, let’s see what ...

McAfee Labs

Bypassing Microsoft’s Patch for the Sandworm Zero Day, the Root Cause

On October 21, we warned the public that a new exploitation method could bypass Microsoft’s official patch (MS14-060, KB3000869) for the infamous Sandworm zero-day vulnerability. As Microsoft has finally fixed the problem today via Security Bulletin MS14-064, it’s time to uncover our findings and address some confusion. This is the ...

McAfee Labs

New Exploit of Sandworm Zero-Day Could Bypass Official Patch

Update of October 25: Some comments posted after we published this report suggest that our proof-of-concept exploit will trigger the UAC (User Account Control) on Windows. We did not observe this during our analysis.   During the last few days researchers at McAfee Labs have been actively investigating Sandworm, the ...

McAfee Labs

Dropping Files Into Temp Folder Raises Security Concerns

Recently, the McAfee Advanced Exploit Detection System (AEDS) has delivered some interesting RTF files to our table. These RTFs have executables “attached” to the documents. Usually, some words in the documents try to convince users to click and run the attachments. The following figure shows the point at which a ...

Subscribe to McAfee Securing Tomorrow Blogs