Unlike, the more common document choices for malware droppers (e.g., HTA, PDF, Flash, M/S Office), Microsoft’s Rich Text Format (RTF) specification appears to leave very little room for exploitation. This misconception is largely due to RTF’s lack of support for an embedded scripting language. Without scripting language support, RTFs have been wrongly mistaken as being less likely candidates for malware infection.
Let’s examine the first two stages of this attack to better understand how RTF files are exploited and to better understand possible detection methods… BACKGROUND RTF File Specification
Microsoft office background task handler Patch#
On April 11 2017, Microsoft released the patch for Microsoft Office for this zero-day vulnerability. The patch prevents attackers from targeting the HTA handling logic of OLE autolinks within RTF files. On an unpatched system, as a victim opens an infected RTF, an embedded OLE autolink causes Microsoft Word to download a malicious HTA file and execute it prior to prompting the user. Prior to the user seeing any prompt, the infection has already occurred. The malware ensures this by terminating Microsoft Word prior to the prompt being displayed at all. Instead, a new instance of Word is started with a decoy document displayed. The victim is clueless they have been compromised.
Microsoft office background task handler code#
This ongoing support of an aging file format has led to a recent surge of attacks exploiting a weakness in Microsoft Office ( CVE-2017-0199). Attackers have discovered the ability to execute malicious code on a victim machine, without any prompting or warning to the user. On April 7, 2017, Haifei Li from McAfee Labs first reported about the attack in a blog posting. On April 8, 2017, Genwei Jiang of FireEye provided an acknowledgement that they were already working with Microsoft on this vulnerability and timing their disclosure to coincide with a patch being made available.
RTF ( Rich Text Format) files have been around since 1987 and are often times overlooked and underestimated as being a viable attack vector. Although the RTF version has not been updated since 1.9.1 was released in March 2008, most document processing applications (e.g., Microsoft Office) still support the format.
0 kommentar(er)
