Active Attacks Targeting Microsoft Office Flaw May Stem From 2009


A Microsoft Office vulnerability patched this month by the software giant has been seen in a wave of attacks that could be traced back to as early as 2009, according to some security researchers studying exploits targeting the flaw.

The attacks are using malicious Word documents and are seen targeting political activists, according to security firm Symantec, which had issued a warning shortly after Microsoft's June 2013 Patch Tuesday. The spear-phishing attacks trick users into opening the file that targets the remote stack-based buffer overflow vulnerability. Once successfully exploited, it opens a back door to remote attackers.

"We continue to monitor this threat to improve coverage and will provide any relevant updates when possible," Symantec said. "Symantec strongly advises users to update their antivirus definitions regularly and ensure the latest Microsoft patches are installed."

[Related: Ransomware Attack Now Steals Passwords, Microsoft Warns]

The MS13-051 security bulletin was rated "important." The vulnerability impacts users of Microsoft Office 2003 and Office for Mac 2011. An attacker can serve up malicious Excel, PowerPoint, Publisher or Word documents to exploit the coding error.

Mainstream support for Microsoft Office 2003 is no longer available. Extended support for the software is scheduled to end April 8, 2014. Microsoft is strongly urging users to upgrade to a newer version of Office or apply the security update. The company believes attacks have been limited to Indonesia and Malaysia.

The zero-day was the target of attackers since October 2009, according to security researcher Eric Romang, who reversed-engineered the exploit. Romang said the campaign has been active, targeting more victims than previously thought.

Several malicious documents reviewed by Romang appear to trick users into viewing information related to a number of issues, including a territory conflict between China and the Philippines or a scandal referenced in Malaysia.

Microsoft issued additional guidance on the update. Newer versions of Office and Windows have built-in protections for stack-based buffer overflow conditions to prevent an attacker from escaping Office and further penetrating a victim's system, wrote Neil Sikka, a security engineer with the Microsoft Security Response Center.

"The attacks we observed were extremely targeted in nature and were designed to avoid being investigated by security researchers," Sikka wrote.

Patching experts at Microsoft urged administrators to focus on patching Internet Explorer coding errors. Microsoft's critical bulletin in June repaired 19 flaws in the browser. The Office flaws fall next on the priority list, according to Paul Henry, security and forensic analyst at Lumension.

PUBLISHED ON JUNE 17, 2013