Here’s how attackers take advantage of Office document vulnerabilities on Windows 10
Malware campaigns take advantage of security vulnerabilities and people’s naivety, making them difficult to stop.
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
What you need to know
Details have come out regarding a vulnerability in Windows that left some people open to attacks that utilize Office documents. Microsoft disclosed theWindows CVE-2021-40444 zero-day vulnerabilityon Tuesday, September 7, 2021, but the company did not share many details about it at the time. Microsoft explained that the vulnerability could be exploited by using ActiveX controls contained in Office documents. This method could be used to get malware onto computers. Now, we have more details about the issue.
Bleeping Computergathered comments from several security experts regarding the vulnerability to illustrate how it works to attackers' advantages. For reference: Documents open in Protected View in Office if a Mark of the Web (MotW) is detected, signaling that a document originated on the Internet and could be dangerous. This security measure, however, isn’t a foolproof solution.
Vulnerability analyst Will Dormann explained some of the flaws in this setup:
If the document is in a container that is processed by something that is not MotW-aware, then the fact that the container was downloaded from the Internet will be moot. For example, if 7Zip opens an archive that came from the Internet, the extracted contents will have no indication that it came from the Internet. So no MotW, no Protected View.Similarly, if the document is in a container like an ISO file, a Windows user can simply double-click on the ISO to open it. But Windows doesn’t treat the contents as having come from the Internet. So again, no MotW, no Protected View.
There are also some types of files, such as RTF files, that don’t open in Protected View, which causes security issues.
Inspired by@buffaloverflow, I tested out the RTF attack vector. And it works quite nicely.WHERE IS YOUR PROTECTED MODE NOW?pic.twitter.com/qf021VYO2RInspired by@buffaloverflow, I tested out the RTF attack vector. And it works quite nicely.WHERE IS YOUR PROTECTED MODE NOW?pic.twitter.com/qf021VYO2R— Will Dormann (@wdormann)September 9, 2021September 9, 2021
Microsoft has mitigations in place to prevent ActiveX controls from running in Internet Explorer, but researchers havefound workarounds.
To illustrate the viability of these types of attacks, here’s a hypothetical that utilizes several attack methods we’ve reported on over the last few months.
Suppose you receive an email that appears to be from Futurenet.com, but instead, it’s actually from Futurenеt.com (note the second “e” being different). This email would be from a spoof domain that utilizes an old-school tactic that mixes characters from the Latin and Cyrillic alphabets together. At a quick glance, the email looks legitimate. Now imagine this trick combined with arecent bug in Outlookthat failed to differentiate between Latin and Cyrillic characters, causing malicious email addresses to appear alongside genuine contact cards within Outlook.
Get the Windows Central Newsletter
All the latest news, reviews, and guides for Windows and Xbox diehards.
In the aforementioned hypothetical and seemingly innocent email is a Word document claiming to be about something routine, such as a newsletter that needs reading or a form that needs filling out. When you click the hypothetical document, it shows up in Protected View because it’s a document from the web. Many people will ignore that warning and click “enable editing” on any document they open. People are even more likely to enable editing on a document that appears to be from a genuine contact.
By clicking the enable edit button, your PC is now exposed to malicious code, like that found in recent attacks highlighted by researchers. The recent"Windows 11 Alpha" campaignis a great example of this type of attack. It claims that people need to click a button to make a document fromWindows 11compatible with Windows 10. People unfamiliar with Windows 11 are likely to believe a prompt like this and open their PC to an attack.
Threat actors often take advantage of a combination of security vulnerabilities and people’s ignorance or innocence. Microsoft may be able to patch one set of vulnerabilities, but others can be discovered. At least some people will continue to be ignorant or naïve, which is why attack campaigns continue to be successful.
Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He’s covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean’s journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_.
