Microsoft Office Tops the Exploit Charts

April 10, 2018 • The Recorded Future Team

Key Takeaways

  • Recorded Future research shows that seven of the top 10 vulnerabilities exploited in 2017 targeted Microsoft products.
  • At least two of these, CVE-2017-0199 and CVE-2017-0189, were critical vulnerabilities — their exploitation allowed threat actors to arbitrarily execute code or access and change data.
  • Despite being aware of at least some of these vulnerabilities for many months, Microsoft did not immediately patch them, leaving users exposed. Patches were not released until after exploits targeting those vulnerabilities appeared for sale on the dark web.
  • The pattern and timeline of vulnerability recognition and response shows that proprietors like Microsoft do not always disclose information about existing cybersecurity threats, illustrating the usefulness of third-party threat intelligence in providing another measure of your organization’s vulnerabilities.

According to Recorded Future’s research, seven of the top 10 most exploited vulnerabilities in 2017 targeted Microsoft products. This represents a shift from past years, where vulnerabilities in Adobe products consistently topped the list. The more troubling news, however, was Microsoft’s slow response to these vulnerabilities. Despite being identified by both Microsoft and cybersecurity companies like McAfee, some of these vulnerabilities were not patched for many months, leaving users dangerously exposed to exploitation.

How CVE-2017-0199 Works

The most exploited vulnerability in 2017, labeled CVE-2017-0199, was first publicly identified by McAfee in early April 2017, but its research showed that it had begun to be exploited by threat actors as early as January 2017.

The vulnerability was present in a feature in Microsoft Word and WordPad that allows users to embed documents within documents, providing a convenient way to link from one file to another. Exploits of this feature would generally use a rich text format (RTF) file, appearing as a regular Word document with a “.doc” extension. After being opened, the exploit would download an HTML Executable file, allowing attackers to execute any code of their choosing on the targeted machine.

The document embedding function at the heart of this vulnerability relies on Object Linking and Embedding (OLE), a major feature of Microsoft Office — and also the avenue through which nearly every previously identified critical vulnerability in Office has been exploited.

Because the exploit was disguised as a normal RTF file, it was able to avoid detection by many security products. The innocuous appearance of the file extension — not, for example, a suspicious “.exe” that so many employees are warned about in cybersecurity training — made the exploit particularly effective when used in phishing attacks.

History of CVE-2017-0199

A security consultant first identified the vulnerability in July 2016, after which he spent a few months testing out ways to exploit it before sharing his findings with Microsoft in October of that year. At that point, Microsoft had a few options: Alert Microsoft Word users about the vulnerability and how to protect themselves against it immediately — the simple but voluntary step of changing Office to Protected View mode would prevent the vulnerability from being exploited — or quickly create a patch and distribute it as part of its monthly updates.

Instead, however, Microsoft chose to quietly investigate the vulnerability over the next several months, leaving it unpatched because they believed it was not yet being exploited and they wanted to be sure that they developed a comprehensive solution before publicly addressing it.

In the meantime, the vulnerability was, in fact, being exploited. According to Gartner research, the vast majority of vulnerabilities are exploited within about two weeks, or not at all. The first attacks, which came in late January, seemed to target military and political figures in Ukraine and Russia, and the nature of the attacks suggested that they were state sponsored. Further attacks using the exploit were detected by multiple cybersecurity firms over the next few months, and on April 9, 2017, a program exploiting the vulnerability was found being sold on the dark web. The next day, malware using the exploit was sent to millions of computers in Australia.

Despite months of awareness and investigation into the vulnerability, Microsoft did not release a patch until April 11, 2017, a few days after McAfee made the vulnerability known to the public in a blog post — too late to protect against malware that had already been distributed.

CVE-2017-0189 Takes the Silver

The second most exploited vulnerability in 2017, CVE-2017-0189, also targeted Windows systems — in this case, a flaw in the Win32k.sys files in the Windows 10 operating system. This vulnerability allowed arbitrary escalation of privilege, meaning threat actors who were able to log in to the system in kernel mode and exploit it could then create new accounts with full user rights, install programs, and view, change, or delete any data on the system.

It was not publicly identified until April 11, 2017, when it was patched at the same time as CVE-2017-0199 and a number of other vulnerabilities in Microsoft’s monthly update. Although this vulnerability was not as widely publicized as CVE-2017-0199, Recorded Future’s research shows that it was nearly as widely exploited, making frequent appearances on dark web forums as part of at least 11 different affordable, easily obtainable exploit kits and builders.

Conclusion

One pattern that has emerged from Recorded Future’s research is the shift away from exploits targeting vulnerabilities in Adobe products and toward Windows products in the last few years. In 2015 and 2016, Adobe vulnerabilities made up the majority of the top 10 most exploited, but in 2017, they represented only three of the top 10. It is a law of nature that things tend to follow the path of least resistance, and threat actors are no exception. Although Adobe products continue to be used in a wide variety of applications, some of its most popular products, like Flash, are on the decline, making them less appealing targets compared to evergreen Microsoft products, like its Office suite.

Whatever the specifics, and whoever the targets, Adobe and Microsoft’s cautious reactions to these critical vulnerabilities being identified in their products illustrates another important point in the threat intelligence world: Even the largest and most well-funded tech companies will never produce products that are completely secure from even moderately competent threat actors, but instead will always be playing catch-up to vulnerabilities being identified.

Microsoft’s actions also show that individuals and organizations in cybersecurity must often make difficult decisions about what information to make public and what to keep private. Had Microsoft immediately warned the public about these vulnerabilities without providing a universal solution, instead relying on users to voluntarily protect themselves (and many users likely wouldn’t), it’s possible that threat actors who would have otherwise been unaware of these vulnerabilities would have that much more time to exploit them. Microsoft’s decision to continue investigating the problem without either making it public knowledge or patching it immediately was a calculated risk.

Organizations that also rely on relevant and timely threat intelligence coming from third parties will have a better chance of responding to critical vulnerabilities quickly enough to reduce risk of exploitation.

For more information on vulnerabilities exploited by threat actors in 2017, download your complimentary copy of “The Top 10 Vulnerabilities Used by Cybercriminals.”