Latest Word zero-day similar to exploits in other targeted attacks

Exploits aimed at the recently discovered zero-day vulnerability in Microsoft Word are similar to those used last year by hackers suspected of gathering intelligence for nation states or private companies, a researcher says.

[IE zero-day flaw shows kinks in Microsoft patching]

Microsoft disclosed the vulnerability Monday in a security bulletin that said the flaw was being exploited in “limited, targeted attacks” directed at Word 2010. The same vulnerability is also in Word 2003, 2007, 2013 and 2013 RT. The latter is the operating system for Windows tablets running on ARM processors.

The exploits included a booby-trapped Rich Text Format (RTF) file and a specially crafted mail in Microsoft Outlook. Both exploits targeted the previously unknown vulnerability when Word is used as the email viewer.

The RTF exploit is similar to those used in zero-day attacks last year against Microsoft Office, security vendor Sophos told CSOonline Tuesday. The older exploits were also used in targeted attacks, known in the industry as an advanced persistent threat (APT).

“All of them (exploits) were discovered in almost an identical manner — used in a single attack against a single organization in the wild when they were zero-days,” Chester Wisniewski, senior security adviser for Sophos, said. “So when I heard about this thing (latest exploit), immediately I’m like, ‘Oh, it’s probably the same guys.'”

Over the last half dozen years or so, every RTF exploit targeting a zero-day vulnerability was being used to steal information from a particular target, Wisniewski said.

APT attacks are typically launched against companies in a specific industry, such as defense or financial services. The hackers are usually paid to conduct national or industrial espionage.

While there’s no immediate danger for most companies from the latest threat, similar exploits will eventually be used by mainstream hackers focused on compromising PCs to steal online banking credentials, credit card numbers and other personal data.

Last year’s RTF exploits were found in money-stealing malware families, most notably Zbot, three months after the exploits were discovered in APT attacks. Zbot is used primarily to steal online banking credentials, including usernames, passwords and one-time access codes used in two-factor authentication.

With the latest exploit, none of Sophos’ corporate customers have reported finding it in their systems.

“At this point, the garden variety bad guys have not figured it out yet, which is good news,” Wisniewski said. “They will figure it out, but at this point, 24 hours in, we’ve had zero hits in our telemetry.”

Office is a focus of many APT attacks because large companies are generally slower to patch the productivity suite than the Windows operating system, Wisniewski said. That’s because patching Office in thousands of computers can be a major undertaking.

[Microsoft offers quick fix for zero-day vulnerability]

“If you were a company with 25,000 PCs in defense, I don’t know that you can roll out a fix fast enough,” Wisniewski said. “You’re still going to be vulnerable for a while.”