Menu
APT attackers are increasingly using booby-trapped RTF documents, experts say

APT attackers are increasingly using booby-trapped RTF documents, experts say

Microsoft Officer RTF parsing vulnerabilities are a common target for attackers who distribute advanced persistent threats

Booby-trapped RTF documents are one of the most common types of malicious Microsoft Office files that are used to infect computers with advanced persistent threats (APTs), according to security researchers from Trend Micro.

"Taking data from exploit documents gathered last April, we can see that the most exploited MS Office software is MS Word," said Trend Micro senior threat researcher Ryan Flores, in a blog post on Wednesday.

The company's statistics show that 63 percent of the malicious Microsoft Office documents intercepted in April exploited vulnerabilities in Microsoft Word.

Out of those vulnerabilities, the most commonly targeted ones were CVE-2010-3333 and CVE-2012-0158, which stem from bugs in Microsoft Word's code for parsing Rich Text Format content.

RTF content can either be saved in a document with an .rtf extension, or can be embedded into a .doc file. In fact, many malicious documents that exploited CVE-2010-3333 and CVE-2012-0158 have had a .doc extension.

The fact that the 2-year-old CVE-2010-3333 vulnerability is still widely exploited in attacks today shows that companies from many industries are failing to keep their Microsoft Office installations up to date, Flores said.

This is particularly troubling because Microsoft just patched a new Microsoft Word RTF parsing vulnerability Tuesday that could allow remote code execution.

The vulnerability is identified as CVE-2012-0183 and affects Microsoft Office 2003 and 2007 for Windows, as well as Microsoft Office 2008 and 2011 for Mac OS.

Considering the attackers' rapid adoption of exploits for CVE-2012-0158, a RTF parsing vulnerability patched by Microsoft in April, it's likely that CVE-2012-0183 will also be targeted soon.

"Within a span of two weeks, CVE-2012-0158 went from zero to actually surpassing CVE-2010-3333 as the preferred exploit of attackers," Flores said. "This just shows that the time window for patching critical vulnerabilities is small, which requires due diligence and discipline on patch management by organizations."

APT attacks that use boobytrapped documents don't only target Windows users. Back in March, researchers from security firm AlienVault, analyzed an APT attack against Tibetan activists that exploited a vulnerability in Microsoft Office for Mac to install Mac malware.

"With the current interest being shown by cybercriminals in infecting Macs, it would be extremely sensible for all users of Microsoft Office on the Mac to update their systems as a matter of priority," said Graham Cluley, a senior technology consultant at antivirus vendor Sophos, in a blog post on Wednesday.

"Note that if you rely solely upon the Software Update feature built into Mac OS X it will not update the Microsoft product," Cluley said. Security patches for Microsoft Office for Mac are delivered through the program's own updating mechanism.

Follow Us

Join the ARN newsletter!

Error: Please check your email address.

Upcoming

Slideshows

IN PICTURES: Nutanix's .NEXT channel event in Sydney (+20 photos)

IN PICTURES: Nutanix's .NEXT channel event in Sydney (+20 photos)

Nutanix recently held its customer and channel event, .NEXT, in Sydney. The event, held at the Sheraton on the Park saw attendance from more than 150 channel and technology partners and customers. It was the first in a series of events Nutanix is holding in A/NZ in August and September, the objective of which is to brief partners and customers on “what’s next” in the design and management of datacentre technology.

IN PICTURES: Nutanix's .NEXT channel event in Sydney (+20 photos)
IN PICTURES: EDGE 2015 sponsor debrief (+23 photos)

IN PICTURES: EDGE 2015 sponsor debrief (+23 photos)

Some of the sponsors of ARN's inaugural EDGE 2015 event got together at the ARN office for a debrieef of the event. Over some drinks and cheese, these attendees got an update on some key statistics that arose from the EDGE event and discussed potential topics and improvements that can be made at next year's event.

IN PICTURES: EDGE 2015 sponsor debrief (+23 photos)
IN PICTURES: ARN Distributor Roundtable, Sydney, 26.08.15 (+26 photos)

IN PICTURES: ARN Distributor Roundtable, Sydney, 26.08.15 (+26 photos)

ARN hosted a distributor roundtable at Cafe Del Mar in Sydney, at which attendees and their partners discussed the changing role of the traditional IT distributor. They spoke about the challenges of digital disruption, the blurring lines of the channel in the age of digital transformation, and examined the ever-evolving business models. This roundtable was sponsored by Distribution Central, Exclusive Networks, Rhipe, and Hemisphere Technologies. Photos by ARN Editorial Director, Mike Gee.

IN PICTURES: ARN Distributor Roundtable, Sydney, 26.08.15 (+26 photos)

iasset.com is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Show Comments