Security Alert: MS Office Zero Day and DNS Vulnerabilities Can Impact Users

Two important vulnerabilities have been found in Microsoft

LAST UPDATED ON OCTOBER 12, 2017
INTERMEDIATE READ
5 min
Let's get started!
IOANA
RIJNETU
CYBER SECURITY ENTHUSIAST

Two critical Microsoft vulnerabilities have been recently detected and could be easily exploited by attackers to gain access to users’ systems and devices.

During its monthly October 2017 Patch Tuesday, Microsoft released its security updates for multiple vulnerabilities found and managed to patch 62 security flaws that affected the Windows OS, the Office package, Skype for Business, Internet Explorer, Microsoft Edge, and the Chakra Core browser engine.

Of all them, two security vulnerabilities were marked as “important” and with a high risk of affecting users’ online security.

Microsoft Office Memory Corruption Vulnerability

This vulnerability (CVE-2017-11826) is found in Microsoft Office when the software fails to properly handle objects in memory. It is caused by a memory corruption problem. According to Microsoft, attackers who succeed to exploit this vulnerability “could run arbitrary code in the context of the current user. “

Once the current user is logged on with the administrator rights, an attacker can gain full control of the affected system. He can execute malicious code in the context and can do the followings: install programs, view, change, or delete data; or create new accounts with full user rights.

Users who have fewer user rights on the system could be less affected than those who operate with administrative rights.

How this vulnerability can affect users

A user needs to open an especially crafted file with an infected version of Microsoft Office software. An attacker could exploit this vulnerability by sending the crafted file to the user via email and trying to convince him to open that file. As we know, it’s been done before, countless times. For example, Facebook users were a target for online criminals who tried to trick them by clicking on (suspicious) links received from friends.

This malware, which replicated over Facebook’s internal messaging system, Messenger, spreaded quickly and was supposed to convince users to click on a malicious link, and then redirected the entire traffic through a large set of malicious domains.

If we consider a web-based attack scenario, the cyber criminal could host a website (or use a compromised website that accepts or hosts user-provided content) containing the specially crafted file, aimed at exploiting the vulnerability.

The attacker’s main goal is to convince users to click on a malicious link, and then open the malicious file.

It’s worth mentioning that this vulnerability was initially discovered by Qihoo 360 security researchers and reported to Microsoft. Researchers have found that “the attack was initiated in August and the launch date of the attack can be dated back to September.”. This is considered to be a zero-day vulnerability.

This attack in the wild starts with RTF (Rich Text Format) files containing highly targeted phishing subfiles to convince users to open them. The attacker triggered a remote arbitrary code execution by using Microsoft Word tags and corresponding attributions.

Here’s how the payload delivery happens and how the execution code took advantage of a dll hijack vulnerability from a well-known security software.

1

2

Source: 360coserec blog

Affected software products:

  • Microsoft Windows 10 Version 1607 for 32-bit Systems
  • Microsoft Windows 10 Version 1607 for x64-based Systems
  • Microsoft Windows 10 for 32-bit Systems
  • Microsoft Windows 10 for x64-based Systems
  • Microsoft Windows 10 version 1511 for 32-bit Systems
  • Microsoft Windows 10 version 1511 for x64-based Systems
  • Microsoft Windows 10 version 1703 for 32-bit Systems
  • Microsoft Windows 10 version 1703 for x64-based Systems
  • Microsoft Windows 8.1 for 32-bit Systems
  • Microsoft Windows 8.1 for x64-based Systems
  • Microsoft Windows RT 8.1
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2016

Microsoft Office DNSAPI Remote Code Execution DNS Vulnerability

The second security vulnerability (CVE-2017-11779) includes a remote code execution bug found in Microsoft Windows DNS.

Before providing more details about this vulnerability, let’s explain what DNS is and how a DNS spoofing can occur.

DNS (Domain Name System)

It is a core part of how the Internet works, because it translates domain names, such as WordPress.org, into IP addresses, helping users recover the information they need very quickly.

Here is how DNS works:

DNS is an essential part of our digital life, because it’s everywhere and used by everyone with an Internet connection. It helps redirect users’ traffic to the right direction. It is also a plaintext protocol and vulnerable to a MiTM attack, and for this, DNSSEC was created.

DNSSEC (Domain Name System Security Extensions)

It is a set of extensions that add security to the DNS protocol by enabling DNS responses to be validated. With this layer of protection, the DNS protocol is much less susceptible to different types of attacks, especially DNS spoofing attacks.

How DNS spoofing happens

DNS Spoofing (also known as DNS cache poisoning), is a type of attack that exploits vulnerabilities in DNS to send Internet traffic away from legitimate servers and redirect it to fake ones.

It is a Man-in-the-Middle technique used to give false DNS information to a host so that when someone tries to browse a legitimate site at the IP address, he will be sent to a fake one with a fake IP address created by an attacker.

How this DNS vulnerability happens

This critical vulnerability patched by Microsoft refers to a remote code execution flaw found in Windows Domain Name System (DNS) client in Windows 8 and 10. It is related with the DNSAPI.dll, which is the core Windows file that makes DNS requests and receives responses from DNS server.  It occurs when it fails to properly handle DNS responses.

Basically, this vulnerability is related to a record of NSEC type that becomes vulnerable when the signing between DNS stamps occur.

This following figure shows DNS resource records in the zone contose.com and after zone signing.

Source: Microsoft.com

An attacker who successfully exploited the vulnerability could run arbitrary code on Windows clients or Windows server installations in the context of the Local System Account.

To exploit it, the cyber criminals use a malicious DNS server to send corrupted DNS responses to targeted users.

It was initially discovered by Nick Freeman, a security researcher from BishopFox, who showed how an attacker can control your DNS server (via a Man-in-the-Middle attack or a malicious coffee-shop hotspot) and gain access to a user’s’ system.

This affects any application that makes DNS queries (web browsers, mail client), not just browsers applications, said the researcher.

For more in-depth technical details, read the Bishop Fox’s blog post.

CVE-2017-11779: Multiple Heap Buffer Overflows In the Windows DNS Client from Bishop Fox on Vimeo.

The affected software versions:

  • Windows 10 for 32-bit Systems
  • Windows 10 for x64-based Systems
  • Windows 10 Version 1511 for 32-bit Systems
  • Windows 10 Version 1511 for x64-based Systems
  • Windows 10 Version 1607 for 32-bit Systems
  • Windows 10 Version 1607 for x64-based Systems
  • Windows 10 Version 1703 for 32-bit Systems
  • Windows 10 Version 1703 for x64-based Systems
  • Windows 8.1 for 32-bit systems
  • Windows 8.1 for x64-based systems
  • Windows RT 8.1
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2016
  • Windows Server 2016 (Server Core installation)

Use this protection guide to fight against (potential) cyber attacks

We remind you that every computer makes DNS requests meaning that it is very vulnerable to such cyber attacks. Online criminals can find multiple advantages to targeting DNS services, and can easily target both organizations and end users.

Here’s what you should do:

  • Install all the (latest) Windows updates for your operating system and keep all your applications up to date.
  • Risks can be mitigated, but not fully eliminated, so patching is essential, there is no other way around, to enhance protection;
  • Organizations need to keep their infrastructure up to date and actively defend it by closing potential holes in cyber security;
  • Use a reliable, secure DNS service on all your devices;
  • Block external access at the organization’s network, unless external parties require service.
  • Restrict access to only trusted computers or networks to reduce the possibility of an exploit occurring;
  • It is recommended to run non-administrative software with minimal access rights;
  • Use multiple layers of protection combining an antivirus program and a proactive cyber security software solution (together).
  • A cyber security solution provides DNS-based traffic filtering as part of its protection suite to make your system more resilient to cyber attacks.

 

RELATED

How Cybercriminals Change Tactics During Their Cyber Attacks

Practical Online Protection: Where Malware Hides

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP