Office bugs on the rise

Friday 5 October 11:30 - 12:00, Green room

Gabor Szappanos (Sophos)



It has never been easier to attack Office vulnerabilities than nowadays. Office exploits have always been high-value assets for criminal groups because Microsoft Office documents are very efficient in delivering their malicious content - users tend to open them without a second thought. The presentation will look deeper into the dramatic changes that have happened in the past 12 months in the Office exploit scene – a scene that looked stale in the past couple of years, with about one or two new vulnerabilities appearing every year that made their way to the commercial exploit builders. There has always been a hunger for new exploitable Office vulnerabilities in cybercrime, but the most important builders supported exploits that had been fixed for a couple of years already. That hurt the efficiency of the malware delivery process. 2017 brought a drastic change in many respects. The number of widely used exploits multiplied compared to the previous five years. More importantly, these exploits turned out to be much simpler. The previous major vulnerabilities were complex memory corruption vulnerabilities, and working with them required deep knowledge of document file formats and advanced understanding of the concepts of exploitation. The new vulnerabilities of last year are much simpler logic bugs (CVE-2017-0199, CVE-2017-8759) or very simple classic stack overflows (CVE-2017-11882, CVE-2018-0802) – easier to understand and more robust to detection evasion tweaking.

It is no longer the privilege of skilled hackers to create builders for these exploits – average programming skills are now sufficient. As a result, we have seen a lot of these builders showing up on Github, free for the taking. This fact triggered a decline in the usage of the commercial exploit builders: their usual customers switched to the free offerings. The presentation will look at this transition, and at the efforts of the commercial exploit builder developers to keep up with the changing trends. The easy availability of these builders enabled many cybercrime actors to use the exploits with little-to-no investment, resulting in the multiplied number of Office exploit-related attacks in the past 12 months.

The life cycle of an Office exploit starts with initial zero-day targeted attacks, then at some point a few well-resourced cybercrime groups start using it. Later, the exploit ends up in builders which leads to an explosion of use by many groups hitting the general user population.

This cycle can usually take a few months, as we have seen this process happening with many exploits in the past few years. However, last year, driven by the great demand for fresh Office exploits, this cycle was pushed down to weeks.

The presentation will reconstruct timeline one of the hottest Office exploits (CVE-2017-0199) that featured the following typical scenarios in its life cycle:

  • Zero-day APT activities
  • Enthusiastic security researchers playing with the exploit
  • APT groups experimenting with bypassing virus scanners
  • The appearance of exploit builders (both commercial and free)
  • The explosion of the usage in cybercrime