Product Coverage and Mitigation for CVE-2014-1761 (Microsoft Word)

On March 24, Microsoft released Security Advisory 2953095 for Microsoft Word. In-the-wild exploitation of this vulnerability has been observed across limited, targeted attacks. The flaw is a memory-corruption vulnerability that can be invoked when parsing specially crafted RTF files or data. Successful exploitation can give an attacker the ability to run arbitrary code (via remote code execution). The flaw affects the following:

• Microsoft Office Compatibility Pack Service Pack 3
• Microsoft Office for Mac 2011
• Microsoft Office Web Apps 2010 Service Pack 1
• Microsoft Office Web Apps 2010 Service Pack 2
• Microsoft Office Web Apps Server 2013
• Microsoft Word 2003 Service Pack 3
• Microsoft Word 2007 Service Pack 3
• Microsoft Word 2010 Service Pack 1 (32-bit editions)
• Microsoft Word 2010 Service Pack 1 (64-bit editions)
• Microsoft Word 2010 Service Pack 2 (32-bit editions)
• Microsoft Word 2010 Service Pack 2 (64-bit editions)
• Microsoft Word 2013 (32-bit editions)
• Microsoft Word 2013 (64-bit editions)
• Microsoft Word 2013 RT
• Microsoft Word Viewer
• Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 1
• Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 2
• Word Automation Services on Microsoft SharePoint Server 2013

Current McAfee product coverage and mitigation

• McAfee Vulnerability Manager: The FSL/MVM package of March 24 includes a vulnerability check to assess if your systems are at risk.
• McAfee Host Intrusion Prevention (HIPS): Generic buffer overflow protection is expected to cover code execution exploits.
• McAfee Network Intrusion Prevention / Network Security Platform (NIPS) : The NSP release of March 27 will include coverage for this threat.
• Stonesoft (NGFW):  Coverage is provided in Update Package 572-5211 (Released March 27, 2014)
• McAfee VirusScan (AV): Coverage is provided as Exploit-CVE2014-1761.
• McAfee Web Gateway (AV): Coverage is provided as Exploit-CVE2014-1761.

Cryptocurrency mining

Microsoft’s blog post highlights IP address 185.12.44.51 as a command and control host. This same host has multiple Bitcoin transactions associated with it as a relay. These can be queried and observed via Blockchain.info. As of this writing, the cumulative balance across the associated Bitcoin wallets is BTC 193.5043147 (about US$111,600).

Resources

• Microsoft: Security Advisory 2953095: recommendation to stay protected and for detections
• Microsoft: Microsoft Security Advisory (2953095)
• McAfee / Stonesoft – Release Notes For Update Package 572-5211