Being top choice as an attack vector is likely not a contest any platform wants to win. Unfortunately for Microsoft, Office will not only continue to be the attackers’ vector of choice but will also be the platform for exploiting vulnerabilities, according to a new report from Menlo Security.
After 360 Total Security blogged about “the first APT (Advanced Persistent Threat) campaign that forms its attack with an Office document embedding a newly discovered Internet Explorer 0-day exploit,” Menlo Security researchers sought to understand why attackers were using malicious Office documents for endpoint exploitation.
Malicious Microsoft Office documents attached to emails as an attack delivery mechanism are not new, but the report, Microsoft Office: The New Platform for Exploiting Zero-Days, detailed the latest examples of the growing sophistication of methods being used and highlighted the need for a more foolproof approach to security.
Even while the paper was being drafted, a new zero-day exploit – CVE-2018-5002 – was disclosed, all while two Flash zero-day vulnerabilities continue to be exploited in the wild.
“There is likely to be an increase in attacks via malevolent email attachments using stealthily embedded, remotely hosted malicious components that leverage application and operating system vulnerabilities, both old and new,” the report stated.
Researchers did find new attack methods, however. One is the use of embedded, remotely hosted malicious components exploiting app and OS vulnerabilities in Word documents delivering zero-day exploits.
Microsoft Word is the leading cloud office-productivity platform, and it’s popularity is expected to grow. In turn it will, presumably, continue to be the attackers’ vector of choice and the platform most often used to exploit vulnerabilities.
The researchers found that almost all recent zero-day attacks have been delivered via Microsoft Word. “With CVE-2018-8174 and CVE-2018-5002, the attackers leveraged Word as a vector to exploit Adobe Flash Player and Internet Explorer. By using Word as the vector, the attackers were able to exploit a browser, even if it is not the default browser, and exploit Flash, even though Flash is blocked by most enterprises," according to the report.
"Microsoft is therefore undoubtedly going to become the platform that attackers leverage most to deliver their zero-day exploits,” the report conlcuded.