Office bugs on the rise

Friday 5 October 11:30 - 12:00, Green room

Gabor Szappanos (Sophos)

It has never been easier to attack Office vulnerabilities than nowadays. Office exploits have always been high-value assets for criminal groups because Microsoft Office documents are very efficient in delivering their malicious content - users tend to open them without a second thought. The presentation will look deeper into the dramatic changes that have happened in the past 12 months in the Office exploit scene – a scene that looked stale in the past couple of years, with about one or two new vulnerabilities appearing every year that made their way to the commercial exploit builders. There has always been a hunger for new exploitable Office vulnerabilities in cybercrime, but the most important builders supported exploits that had been fixed for a couple of years already. That hurt the efficiency of the malware delivery process. 2017 brought a drastic change in many respects. The number of widely used exploits multiplied compared to the previous five years. More importantly, these exploits turned out to be much simpler. The previous major vulnerabilities were complex memory corruption vulnerabilities, and working with them required deep knowledge of document file formats and advanced understanding of the concepts of exploitation. The new vulnerabilities of last year are much simpler logic bugs (CVE-2017-0199, CVE-2017-8759) or very simple classic stack overflows (CVE-2017-11882, CVE-2018-0802) – easier to understand and more robust to detection evasion tweaking.

It is no longer the privilege of skilled hackers to create builders for these exploits – average programming skills are now sufficient. As a result, we have seen a lot of these builders showing up on Github, free for the taking. This fact triggered a decline in the usage of the commercial exploit builders: their usual customers switched to the free offerings. The presentation will look at this transition, and at the efforts of the commercial exploit builder developers to keep up with the changing trends. The easy availability of these builders enabled many cybercrime actors to use the exploits with little-to-no investment, resulting in the multiplied number of Office exploit-related attacks in the past 12 months.

The life cycle of an Office exploit starts with initial zero-day targeted attacks, then at some point a few well-resourced cybercrime groups start using it. Later, the exploit ends up in builders which leads to an explosion of use by many groups hitting the general user population.

This cycle can usually take a few months, as we have seen this process happening with many exploits in the past few years. However, last year, driven by the great demand for fresh Office exploits, this cycle was pushed down to weeks.

The presentation will reconstruct timeline one of the hottest Office exploits (CVE-2017-0199) that featured the following typical scenarios in its life cycle:

  • Zero-day APT activities
  • Enthusiastic security researchers playing with the exploit
  • APT groups experimenting with bypassing virus scanners
  • The appearance of exploit builders (both commercial and free)
  • The explosion of the usage in cybercrime




Gabor Szappanos

Gabor Szappanos graduated from the Eotvos Lorand University of Budapest with a degree in physics. His first job was in the Computer and Automation Research Institute, developing diagnostic software and hardware for nuclear power plants.

He started anti-virus work in 1995, and has been developing freeware anti-virus solutions in his spare time. In 2001, he joined VirusBuster, where he was responsible for taking care of macro viruses and script malware. In 2002, he became the head of the VirusBuster virus lab. In 2012, he joined Sophos as a principal malware researcher.

Between 2008 and 2016, Gabor was a member of the board of directors of AMTSO (the Anti-Malware Testing Standards Organization).


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.