nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Word hole patched in 2012 is 'unchallenged' king of Office exploits

It's 2016, people, even the pirates have patched

By Darren Pauli, 5 Jul 2016

Possibly the most exploited unchallenged Microsoft Office vulnerability of the last decade was found and patched in 2012.

Sophos threat researcher Graham Chantry says the longevity of the dusty bug affecting Office 2003, 2007, and 2010, is thanks to its constant adaptation by exploit kit authors, and a pervasive unwillingness to patch.

So remarkably slack are some legitimate users and organisations, they're running behind even the pirates offering black-market versions of the latest 2016 versions of Office kit. They have all but abandoned torrents seeding the exposed old versions.

"[It is] a somewhat a modern day embodiment of Charles Darwin’s On the Origin of Species," Chantry says in analysis [PDF].

"While it's not unusual for a certain vulnerability to be favored over others, it is rare for one to do so consistently and for such a long period of time.

"Realistically, until Office exploit kits cut their ties with it, it seems very unlikely that we will see the back of anytime soon."

Attackers are exploiting the flaw in typically rich text format smaller campaigns rather than the mass spamming which characterised its earlier use. Prominent threat campaigns include Red October, FakeM, and Rotten Tomato.

Chantry says it is "remarkable" that the arbitrary code execution flaw is still common enough for exploit writers to hose machines by way of shoddy Microsoft Word installations.

Attackers have found ways to conceal the exploit in Word and Excel encryption features, rich text format, and intermixed binary data which was the most stealthy of the mechanisms.

Those however were only four of "literally thousands" of different obfuscation tricks black hats had used to exploit the old hole.

It is not the oldest bug still in use -- a nod must go to rich text format hole CVE 2010-3333 -- but it has still more life left in it for it to remain a valid tool for attackers. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing