Solved

Trendmicro AV signature for CVE-2014-6352 Windows zero-day flaw in targeted PowerPoint attacks

Posted on 2014-10-24
7
441 Views
Last Modified: 2014-11-11
Q1:
Is there a Trendmicro's Officescan AV signature for the following exploits?
So far, Trend Support said they're still checking.

Q2:
what's the likelihood of being attacked/hacked if we don't have
Powerpoint but only Web Software Components (ie MS Access,
MS Excel) ?

Hackers exploit Windows zero-day flaw in targeted PowerPoint attacks
Hackers are exploiting a zero-day vulnerability in Windows using malicious PowerPoint documents, Microsoft and security firms warn.

An advisory from Microsoft warns that the as-yet-unpatched flaw is present in all supported versions of Windows except Windows Server 2003 and has already been abused in "limited, targeted attacks".

The bug (CVE-2014-6352) can be triggered by sending a specially crafted Microsoft Office files to intended targets before tricking them into opening the booby-trapped files.

The specially crafted malicious files would contain a malicious Object Linking and Embedding (OLE) object, a technology used to share data between applications that allows a chart from an Excel Spreadsheet within a PowerPoint presentation, among other functions. Tricking a user into opening a malicious file results in an infected machine but won't cough admin privileges to the hacker – at least not by itself. Attacks are likely to generate pop-up warnings and under default settings a User Access Control popup would get displayed.

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

In a web-based attack scenario, an attacker could host a website that contains a webpage that contains a specially crafted Office file that is used to attempt to exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.

Potential Impact

·         Remote Code Execution

·         Privilege Escalation

·         Data Exfiltration

·         Lateral spread in Malware


Recommendations

Below are some suggested best practices and solutions to prevent remote code execution within your organization.

·         Ensure all operating systems and public facing machines have the latest versions and security patches, and antivirus software and definitions up to date.

·         Be aware of Spear phishing emails that may trick you into opening a malicious document or click a link to a malicious landing page.

·         Ensure systems have a running firewall, unnecessary ports are closed/blocked, and unused services are disabled.

·         Ensure that users’ privileges are issued according to their level. This has less impact than those who have administrative rights.

·         To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.

·         Educate your users to practise safe computing.

·         Ensure that relevant personnel are versed in follow up actions of IT security incidents and recovery procedures.

·         Do continue to be vigilant and work closely with your ITSO/ITSM for any escalated security events from the EDMS SOC. Please ensure your contact list for EDMS SOC escalation is up-to-date. In the event of any security incident, please inform EDMS SOC or your ITSO/ITSM immediately.

Microsoft has released workaround and “Fix It” solutions: https://technet.microsoft.com/library/security/3010060#ID0EPG
0
Comment
Question by:sunhux
7 Comments
 
LVL 47

Assisted Solution

by:dbrunton
dbrunton earned 120 total points
Comment Utility
Q1:
Is there a Trendmicro's Officescan AV signature for the following exploits?
So far, Trend Support said they're still checking.

One will turn up eventually.  As will a Microsoft fix.

Q2:
What's the likelihood of being attacked/hacked if we don't have Powerpoint but only Web Software Components (ie MS Access, MS Excel) ?

It is unlikely that that any attacker will know what you have.  Unless they have insider knowledge and you are being deliberately targeted.  It is more likely to be a blind attack working on the assumption that many users will have Microsoft Office installed on their computers (including Powerpoint) and they will strike one silly enough to open a suspicious file.

-------------------

How to avoid being a victim.  Read the Recommendations in your question.  Best practice is for users to have minimal rights when working on a computer and to be educated as what to do with unknown emails.  If an email prompts for UAC rights (see the note in the Recommendations) then there is something terribly wrong with that email.
0
 
LVL 61

Accepted Solution

by:
btan earned 300 total points
Comment Utility
1. They should be coming up but meanwhile they have below DS solutions that protect against Sandworm also protect against these more recent attacks. The original CVE that is not fully patched. The following DPI rules cover these threats. Hear out from the support then.

1006290 - Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114)
1006291 - Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114) – 1

Having said that, even if the threat vector such as ppt landed on machine, the exploit may still be detected by TM if known threat are re-used or common anomalous threat behaviour can still trigger as another layer detection - though it is in later stage. It is worst if there is not even an AV/FW in the machine.

Just like when CVE 4114 came in, new evasion tech evolved but can still be detected http://blog.trendmicro.com/trendlabs-security-intelligence/new-cve-2014-4114-attacks-seen-one-week-after-fix/

2. Note the difference btw the two CVEs e.g. while the original vulnerability (CVE-2014-4114) involved embedded OLE files linking to external files, the newer vulnerability (CVE-2014-6352) relates to OLE files that have the executable payloads embedded within them. As long as there is a threat carrier that can embed OLE, it can still comes into the machine e.g. servers or workstations that open documents with embedded OLE objects are primarily at risk.

So by blocking only ppt is just reactive means, though attack surface is minimised but it still not remediated. For insecure machine and not harden minimally to disable unnecessary service, interface and account, it is already open up to any threat vector (not necessary to this CVE). Also OLE object (such as XLS) can be contained in a compound Microsoft Word document, the latter is also another threat carrier. In other words, blocking all MS suite is going to be a knee jerk response for now... and usr is unlikely to live with that block in place.

Note also user interaction is required to exploit this vulnerability, so education can be useful of existence of this. Some scenario can include for awareness - so be wary and not open untrusted, or go to untrusted site or download untrusted etc
In an email attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted file to the user. For this attack scenario to be successful, the user must be convinced to open the specially crafted file containing the malicious OLE object. All Microsoft Office file types as well as many other third-party file types could contain a malicious OLE object.

In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted Microsoft Office file, such as a PowerPoint file, that is used in an attempt to exploit this vulnerability. In addition, compromised websites (and websites that accept or host user-provided content) could contain specially crafted content that could exploit this vulnerability. An attacker would have no method to force users to visit a malicious website. Instead, an attacker would have to persuade the targeted user to visit the website, typically by getting them to click a hyperlink that directs a web browser to the attacker-controlled website.

There is still no patch for this second one, but Microsoft has offered a Fix It and workarounds for blocking known attack vectors. So have the workaround for the  time being and EMET v5 Attack Surface Reduction will be another layer as well
0
 

Author Comment

by:sunhux
Comment Utility
Thanks chaps,

I've got the MS workaround msi installer for the team, just that the
governance & our local IT authority are raising queries.

Though we are applying the MS workaround, being paranoid, the
governance will always want us to have the dpi rule as well as the
Officescan AV signature updated, thus I'm specifically looking for
Officescan signature that deals with this.

Both TippingPoint & Trendmicro IPS support told me they are still
working on the signatures for TippingPoint & DeepSecurity so I'll
just wait for them.  

However, for Officescan, the Trend support team I'm dealing with
told me they don't cover Officescan, so was hoping if anyone knows
anything on Officescan signature that deals with this CVE-2014-6352
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 61

Assisted Solution

by:btan
btan earned 300 total points
Comment Utility
no signature per se for any AV in best knowledge. But as mentioned, such attacks are likely to generate pop-up warnings and under default settings a User Access Control popup would get displayed. This means that user interaction would be needed to run successful attacks based on CVE-2014-6352 alone, an important limiting factor.

The closest for TM officescan is in its Real-time Scan which already include OLE scanning and if there are some "foul" play (as shared carrying known exploits), it is likely to trigger but that is not just targeting this CVE-2014-6532 per se.
http://docs.trendmicro.com/all/ent/officescan/v10.5/en-us/osce_10.5_olhcl/osce_topics/configure_real-time_scan.htm
Scan OLE objects: When a file contains multiple Object Linking and Embedding (OLE) layers, OfficeScan scans up to the number of layers you specify and skips the remaining layers.

Detect exploit code in OLE files: OLE Exploit Detection heuristically identifies malware by checking Microsoft Office files for exploit code.
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 80 total points
Comment Utility
1. Follow the instructions available here

2/ Download and install EMET 5.0

Apply the xml file from #1
EMET_CVE-2014-6532.xml
<EMET Version="5.0.5324.31801">
  <Settings />
  <EMET_Apps>
    <AppConfig Path="*" Executable="dllhost.exe">
      <Mitigation Name="DEP" Enabled="false" />
      <Mitigation Name="SEHOP" Enabled="false" />
      <Mitigation Name="NullPage" Enabled="false" />
      <Mitigation Name="HeapSpray" Enabled="false" />
      <Mitigation Name="EAF" Enabled="false" />
      <Mitigation Name="EAF+" Enabled="false" />
      <Mitigation Name="MandatoryASLR" Enabled="false" />
      <Mitigation Name="BottomUpASLR" Enabled="false" />
      <Mitigation Name="LoadLib" Enabled="false" />
      <Mitigation Name="MemProt" Enabled="false" />
      <Mitigation Name="Caller" Enabled="false" />
      <Mitigation Name="SimExecFlow" Enabled="false" />
      <Mitigation Name="StackPivot" Enabled="false" />
      <Mitigation Name="ASR" Enabled="true">
        <asr_modules>packager.dll</asr_modules>
      </Mitigation>
    </AppConfig>
    <AppConfig Path="*\OFFICE1*" Executable="POWERPNT.EXE">
      <Mitigation Name="DEP" Enabled="true" />
      <Mitigation Name="SEHOP" Enabled="true" />
      <Mitigation Name="NullPage" Enabled="true" />
      <Mitigation Name="HeapSpray" Enabled="true" />
      <Mitigation Name="EAF" Enabled="true" />
      <Mitigation Name="EAF+" Enabled="false" />
      <Mitigation Name="MandatoryASLR" Enabled="true" />
      <Mitigation Name="BottomUpASLR" Enabled="true" />
      <Mitigation Name="LoadLib" Enabled="true" />
      <Mitigation Name="MemProt" Enabled="true" />
      <Mitigation Name="Caller" Enabled="true" />
      <Mitigation Name="SimExecFlow" Enabled="true" />
      <Mitigation Name="StackPivot" Enabled="true" />
      <Mitigation Name="ASR" Enabled="true">
        <asr_modules>flash*.ocx;packager.dll</asr_modules>
      </Mitigation>
    </AppConfig>
  </EMET_Apps>
</EMET>

Open in new window

0
 
LVL 61

Assisted Solution

by:btan
btan earned 300 total points
Comment Utility
If using emet you will need v5.0 as it comes with ASR as in the MS advisory. This is rather similar to the TM Real-time Scan plugin scan/block. ASR lock the usage of a specific modules or plug-ins within an application. From MS article, it shared example.

For ASR, ti covers the winword.exe/excel.exe/powerpnt.exe
 (1) you can configure EMET to prevent Microsoft Word from loading the Adobe Flash Player plug-in, or, with the support of security zones, you can use EMET to prevent Internet Explorer from loading the Java plug-in on an Internet Zone website while continuing to allow Java on Intranet Zone websites.

(2) Preventing Microsoft Word from launching an Adobe Flash Player file embedded in the document. By default, EMET 5.0 Technical Preview comes pre-configured to block certain plug-ins from being loaded by Internet Explorer, Microsoft Word and Microsoft Excel.

But do some testing in the staging with TM and EMET to see if there is any apps break or any IE anomalies (hangs etc), we do not want to crash ourselve by overdoing it...
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Note that the EMETv5 from MS config is using the ASR (for flash*.ocx;packager.dll) - it disabled EAF, EAF+ & Stack Pivot for "dllhost.exe" but enabled them for the "POWERPNT.EXE". Hence better to test out with the TM running currently to ensure they do not "crash" one another.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now