During yesterday’s Patch Tuesday security update, Microsoft has fixed a vulnerability in the Office Suite that allowed an attacker to bypass one of the product’s security features called Protected View.
In the real world, Protected View is one of the most crucial and useful security features Microsoft ever added to the Office Suite.
This feature is basically a sandbox that runs Office documents in a limited environment. Protected View intervenes when the user opens an Office file from the Internet and is turned on by default.
The feature is incredibly useful when opening attachments received via email, which sometimes may contain viruses.
Protected View bypass leaves the door open for OLE and macro exploits
Protected View works by blocking all dynamic content embedded in the file, and allowing the user to read the file. If the user needs to edit the file, he can then click the “Enable Editing” button which lets him make modifications to the document, but also unleashes all dynamic content, such as scripts or embedded OLE objects.
Both, scripts (macros) and OLE objects, are known to deliver vicious exploits that can sometime grant the attacker full control over infected devices.
McAfee (Intel Security) experts havea simple method of bypassing automatic Protected View activation for files opened from the Internet.
Protected View bypass uses Excel add-in files
The trick is to save the malware-laced file as an Excel add-in (.XLA files). Protected View won’t activate by default for XLA files, and if crooks embed ActiveX or OLE objects inside these add-in files, they can automatically trigger the exploit without any subsequent user interaction.
Microsoft fixed the vulnerability (CVE-2016-3279) in. “The security feature bypass by itself does not allow arbitrary code execution,” Microsoft writes in its security bulletin. “However, to successfully exploit the vulnerability, an attacker would have to use it in conjunction with another vulnerability, such as a remote code execution vulnerability, to take advantage of the security feature bypass vulnerability and run arbitrary code.”
Taking into account the huge number of Office exploits currently available, an attacker only has to choose which one to embed in his file.
As mentioned above, the exploit executes automatically when opening an XLA file, so unless you’re running the latest Windows version, make a mental note to never open XLA files received via email.
This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.
Recommended article from FiveFilters.org: .