An ongoing study investigating security bugs in Microsoft Office has so far led to two security patches.
Microsoft Office, ubiquitous on enterprise and personal computers, is a hot target for cybercriminals and a key focus area for researchers hoping to find bugs before the bad guys do.
Stan Hegt and Pieter Ceelen, both security researchers and red teamers with security firm Outflank B.V., have been exploring a range of attack techniques that abuse Microsoft Office features. Their previous research, shown at DerbyCon 2018, demonstrated how abusing legacy functionality (a macro language that predates VBA, for example) bypasses security controls.
Outflank B.V. is a small, specialized security firm focused on red teaming, Hegt explained in an interview with Dark Reading. During most engagements, they attempt to remotely compromise workstations. Remote entry is among the toughest attacker methods, says Hegt. “It forces us to innovate, but we don’t see that much innovation in this respect, in the wild.”
Early findings prompted them to analyze flaws within the functionalities embedded into the Office suite. And since DerbyCon, the duo has continued to research Office and uncover new security holes.
“To dive into Microsoft Office, there’s so much to go into,” says Hegt. “When we dove in with the purpose of DerbyCon, we noticed there were many points to go left or right with additional research. Every path led to more cool stuff we could present to the world.”
As part of their ongoing research, Hegt and Ceelen found “at least two things that were not according to spec” – and resulted in two vulnerabilities being recently patched by Microsoft. One CVE uses the old feature of fields in Microsoft Word, in combination with macro buttons (no VBA required) to steal the contents of any file on disk. Another CVE uses fields in …
Author: Kelly Sheridan Staff Editor, Dark Reading