On March 24, Microsoft released Security Advisory 2953095 for Microsoft Word. In-the-wild exploitation of this vulnerability has been observed across limited, targeted attacks. The flaw is a memory-corruption vulnerability that can be invoked when parsing specially crafted RTF files or data. Successful exploitation can give an attacker the ability to run arbitrary code (via remote code execution). The flaw affects the following:
- Microsoft Office Compatibility Pack Service Pack 3
- Microsoft Office for Mac 2011
- Microsoft Office Web Apps 2010 Service Pack 1
- Microsoft Office Web Apps 2010 Service Pack 2
- Microsoft Office Web Apps Server 2013
- Microsoft Word 2003 Service Pack 3
- Microsoft Word 2007 Service Pack 3
- Microsoft Word 2010 Service Pack 1 (32-bit editions)
- Microsoft Word 2010 Service Pack 1 (64-bit editions)
- Microsoft Word 2010 Service Pack 2 (32-bit editions)
- Microsoft Word 2010 Service Pack 2 (64-bit editions)
- Microsoft Word 2013 (32-bit editions)
- Microsoft Word 2013 (64-bit editions)
- Microsoft Word 2013 RT
- Microsoft Word Viewer
- Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 1
- Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 2
- Word Automation Services on Microsoft SharePoint Server 2013
Current McAfee product coverage and mitigation
- McAfee Vulnerability Manager: The FSL/MVM package of March 24 includes a vulnerability check to assess if your systems are at risk.
- McAfee Host Intrusion Prevention (HIPS): Generic buffer overflow protection is expected to cover code execution exploits.
- McAfee Network Intrusion Prevention / Network Security Platform (NIPS) : The NSP release of March 27 will include coverage for this threat.
- Stonesoft (NGFW): Coverage is provided in Update Package 572-5211 (Released March 27, 2014)
- McAfee VirusScan (AV): Coverage is provided as Exploit-CVE2014-1761.
- McAfee Web Gateway (AV): Coverage is provided as Exploit-CVE2014-1761.
Cryptocurrency mining
Microsoft’s blog post highlights IP address 185.12.44.51 as a command and control host. This same host has multiple Bitcoin transactions associated with it as a relay. These can be queried and observed via Blockchain.info. As of this writing, the cumulative balance across the associated Bitcoin wallets is BTC 193.5043147 (about US$111,600).
Resources
- Microsoft: Security Advisory 2953095: recommendation to stay protected and for detections
- Microsoft: Microsoft Security Advisory (2953095)
- McAfee / Stonesoft – Release Notes For Update Package 572-5211
About the Author
McAfee Labs
McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog for more information.
Read more posts from McAfee LabsCategories: McAfee Labs
Tags: endpoint protection, computer security, Microsoft, virus
Yes, DAT 7396 detect the exploit CVE 2014-1761
http://www.mcafee.com/apps/mcafee-labs/release-notes/datreadme.aspx?DATFile=7396
best regards,
Walter
Hi,
Is there a Dat signature that will detect the exploit CVE-2014-1761 on desktop with viruscan protection ?
thanks
Rgds
Hello,
is there an EXTRA.dat available?
Thx
Mario