One of MWR InfoSecurity's Singapore based researchers, Yong Chuan Koh, recently published an advisory on a Microsoft Office vulnerability.
Despite MS now patching, I think the fact that it was being exploited in the wild makes it an interesting story. I asked Yong the following questions:
How critical is the flaw?
"This flaw belongs to a Use-After-Free (UAF) class of vulnerability, and is exploitable if an attacker is able to manipulate the allocation/free of memory. This is not difficult, as CVE-2012-4969, CVE-2012-4792, CVE-2015-0311 and CVE-2015-5119 are examples of such UAF vulnerabilities in IE and Adobe Flash found to be exploited in-the-wild. Upon success, an attacker is able to run arbitrary code in the context of logged-in user."
How would a typical attack work? E.g would an attacker send a user an infected Word/Excel/PPT document attached to a spear phishing email?
"Yes, you are right; The attacker would have to trick you in opening the infected document through spear phishing or other means."
So a user would just have to open the Document or would I have to run a macro or something like that?
"Just opening the document is sufficient, unless the specific COM is killbit-ed (ie: not allowed to run)."
Are hackers using the flaw, any evidence?
"The MS Security Bulletin (https://technet.microsoft.com/en-us/library/security/ms15-081.aspx) states that this flaw was reported to be exploited in the wild."
Should organisations patch now or run tests first?
"As it was being exploited, I would recommend patching first. I first reported this vulnerability to MS in Feb 2015, and I assume (big leap of faith? :) ) that MS would have thoroughly tested the patch for most situations in these 6 months before release."
Any other measures orgs can take to protect themselves?
"This UAF vulnerability is triggered upon loading of the TaskSymbol ActiveX object (see https://labs.mwrinfosecurity.com/system/assets/1024/original/mwri_advisory_microsoft_office_ctasksymbol_use_after_free_cve-2015-1642.pdf for details).
As a workaround, administrators can either disable this ActiveX, or view the document in Protected-View mode. And lastly, the usual advice of avoid opening documents from unknown sources."
Any other comments?
"It's been quite some time since we last saw a big patch for MS Office. This serves as a reminder that MS Office is no less safer than other applications like IE."