A functionality of Microsoft Office that has been in use since the 1990’s can be exploited to deliver malicious, executable files to users. The security researcher who discovered it claims that widely used security software is not triggered when the executable files are run.
The functionality or feature is the OLE Packager which is found in every version of Microsoft Office on every Windows OS. It allows content to be embedded in documents. This includes executable content, such as .exe, .js, and .vbe. There is no way to restrict or disable this functionality on any Office version.
Though Microsoft was informed of this problem, they were said to have not responded to it because they believe it to be a feature of Office.
The researcher also provided several PoC (Proof of Concept) document files that take advantage of the feature to perform actions like locking users Windows workstation and swapping their mouse button functions.
These documents are all deemed clean by various antivirus providers. The researcher has tested the documents with Messagelabs, Malwarebytes Anti-Exploit, and other antivirus products, but they have failed to detect it.
Sandbox technology on other products has also failed to detect the said documents. After months of testing, the researcher found that “security solutions simply do not touch this issue.”
Microsoft has tried to mitigate this issue in the past, where users are prompted with pop-up warning messages when they opened risky files, but this list has not been updated over the years. The researcher also noted that most messages can be clicked trough, and that’s what most users do.
Source
1. Help Net Security.
2. Seclist.org
The Week That Was
1. 20 Year old student has written more than 100 malware programs. In two years this Brazilian student has developed and distributed more than 100 malware programs selling for US$300 each. The computer science student has also developed free versions of fully-functional Banking Trojan source code, which can be used to steal login details from customers of four different banking websites, including HSBC Brazil, Bank of Brazil and Caixa. For access to other financial institutions, ‘clients’ have to pay for a powerful tool, TSPY_BANKER.NJH.
2. Google yanks fake Android battery monitor. A fake battery monitor app was discovered on Google Play. Google suspect that malicious version of BatteryBot battery indicator app was probably trying together an army of compromised devices for the purpose of click fraud, ad fraud and premium SMS scams.
3. Hacked Hacking Team tells police and govt. to shut down software. The Italian surveillance company which was recently hacked and had 400GB of its source code and internal data stolen and posted online has advised cops and governments who have used their software to shut them down. This is until if they can confirm whether law enforcements operations have been compromised.
4. Palo Alto Unit 42 discovers new Android malware family. A new family of Android malware has evaded all antivirus products in the VirusTotal web service. It has been named “Gunpoder”. During research by the Unit 42 team, it was found to contained many characteristics of adware – embeds a popular adware library within it – and also a number of overtly malicious activities was discovered, which characterize it as a being malware.