Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Malicious Documents: A Bit Of News - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malicious Documents: A Bit Of News

This week I saw again a PDF containing a malicious Word document with macros (a downloader).

The PDF contains JavaScript to extract the malicious Word document and launch Word. The user is prompted before this action takes place, but if you want to mitigate this, you can disable JavaScript. If you use Adobe Reader version 15.009.20069 or later, then the extracted Word document is marked with a mark-of-web, regardless if the containing PDF document is marked as such.

I made a video of the analysis of this document.

CVE 2017-0199

There has been a lot of talk about RTF documents exploiting CVE-2017-0199, making Word download and execute an HTML application without requiring any user interaction (except taking the document out of Protected View, depending on the presence of a mark-of-web). And this without VBA macros (RTF does not support VBA macros).

After applying Microsoft's patch for CVE-2017-0199, a downloaded HTA is no longer executed, but it is still downloaded without user interaction. The attention that the RTF auto-update technique received (employed for delivering a CVE-2017-0199 exploit), will certainly stimulate the use of this technique for other purposes, like tracking.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

174 Posts
ISC Handler
Lets not focus on the threat, focus on the exploit which is aimed at Word. In simple terms, Word is the problem. So take MS Word out of the equation. Associate .docx, and now apparently even .rtf, with WordPad. WordPad is NOT script enabled, so at least the VBS and other scripts wont execute. Not sure if web will execute in WordPad (probably worth a test). Using WordPad isnt going to be a perfect solution, but when users see encoded characters and not documents, you may get a few more to wake up. And even when they see good docs in WordPad, its a user-level filter before running Word.
Brett

13 Posts Posts
The vulnerability can be exploited via WordPad too. There is a Windows patch and an Office patch for cve-2017-0199.

Here is a screenshot of how WordPad behaves after patching:
twitter.com/DidierStevens/status/…
DidierStevens

174 Posts Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!