Attackers have found a way to bypass a crucial Microsoft Office patch

Attackers have managed to create a novel exploit capable of bypassing a critical remote code execution vulnerability in Microsoft Office ...

Attackers have managed to create a novel exploit capable of bypassing a critical remote code execution vulnerability in Microsoft Office which was patched earlier this year.

According to new research from the cybersecurity firm Sophos, the attackers were able to take a publicly available proof-of-concept Office exploit and weaponize it to deliver the Formbook malware

Back in September, Microsoft released a patch to prevent attackers from executing malicious code embedded in a Word document that downloads a Microsoft Cabinet (CAB) archive containing a malicious executable. By reworking the original exploit and placing the malicious Word document inside a special crafted RAR archive, the attackers created a “CAB-less” form of the exploit capable of successfully evading the original patch.

Surprisingly though, this novel exploit was distributed using spam emails for approximately 36 hours before it disappeared completely. Sophos' researchers believe that the exploit's limited lifespan could mean that it was a “dry run” experiment that could be used in future attacks.

Bypassing a critical patch

During their investigation, Sophos' researchers found that the attackers responsible had created an abnormal RAR archive that had a PowerShell script prepending a malicious Word document stored inside the archive.

To spread their malformed RAR archive and its malicious contents, the attackers created and distributed spam emails which invited victims to uncompress the RAR file to access the Word document. However, opening the document triggered a process that ran the front-end script leading to their devices becoming infected with malware.

Principal threat researcher at Sophos, Andrew Brandt explained how the attackers were able to get around Microsoft patching the original vulnerability in a press release, saying:

“In theory, this attack approach shouldn't have worked, but it did. The pre-patch versions of the attack involved malicious code packaged into a Microsoft Cabinet file. When Microsoft’s patch closed that loophole, attackers discovered a proof-of-concept that showed how you could bundle the malware into a different compressed file format, a RAR archive. RAR archives have been used before to distribute malicious code, but the process used here was unusually complicated. It likely succeeded only because the patch’s remit was very narrowly defined and because the WinRAR program that users need to open the RAR is very fault tolerant and doesn’t appear to mind if the archive is malformed, for example, because it’s been tampered with.”

While patching software against known vulnerabilities is important, it's also equally important to educate employees regarding the dangers of opening suspicious email attachments especially when they arrive in unusual or unfamiliar compressed file formats.

We've also featured the best malware removal software, best antivirus and best endpoint protection software



from TechRadar - All the latest technology news https://ift.tt/3qf8PIy
via IFTTT

COMMENTS

BLOGGER
Name

Apps,3858,Business,151,Camera,1155,Earn $$$,3,Gadgets,1741,Games,926,GTA,1,Innovations,3,Mobile,1697,Paid Promotions,5,Promotions,5,Sports,1,Technology,8106,Trailers,796,Travel,37,Trending,4,Trendly News,25335,TrendlyNews,183,Video,5,XIAOMI,13,YouTube - 9to5Google,182,
ltr
item
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews: Attackers have found a way to bypass a crucial Microsoft Office patch
Attackers have found a way to bypass a crucial Microsoft Office patch
Trendly News | #ListenNow #Everyday #100ShortNews #TopTrendings #PopularNews #Reviews #TrendlyNews
http://www.trendlynews.in/2021/12/attackers-have-found-way-to-bypass.html
http://www.trendlynews.in/
http://www.trendlynews.in/
http://www.trendlynews.in/2021/12/attackers-have-found-way-to-bypass.html
true
3372890392287038985
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS PREMIUM CONTENT IS LOCKED STEP 1: Share. STEP 2: Click the link you shared to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy