Microsoft Office CTaskSymbol Use-After-Free Vulnerability

Print

One of MWR InfoSecurity's Singapore based researchers, Yong Chuan Koh, recently published an advisory on a Microsoft Office vulnerability.

Despite MS now patching, I think the fact that it was being exploited in the wild makes it an interesting story. I asked Yong the following questions:

 

How critical is the flaw?

"This flaw belongs to a Use-After-Free (UAF) class of vulnerability, and is exploitable if an attacker is able to manipulate the allocation/free of memory. This is not difficult, as CVE-2012-4969, CVE-2012-4792, CVE-2015-0311 and CVE-2015-5119 are examples of such UAF vulnerabilities in IE and Adobe Flash found to be exploited in-the-wild. Upon success, an attacker is able to run arbitrary code in the context of logged-in user."

How would a typical attack work? E.g would an attacker send a user an infected Word/Excel/PPT document attached to a spear phishing email?

"Yes, you are right; The attacker would have to trick you in opening the infected document through spear phishing or other means."

So a user would just have to open the Document or would I have to run a macro or something like that?

"Just opening the document is sufficient, unless the specific COM is killbit-ed (ie: not allowed to run)."

Are hackers using the flaw, any evidence?

"The MS Security Bulletin (https://technet.microsoft.com/en-us/library/security/ms15-081.aspx) states that this flaw was reported to be exploited in the wild."

Should organisations patch now or run tests first?

"As it was being exploited, I would recommend patching first. I first reported this vulnerability to MS in Feb 2015, and I assume (big leap of faith? :) ) that MS would have thoroughly tested the patch for most situations in these 6 months before release."

Any other measures orgs can take to protect themselves?

"This UAF vulnerability is triggered upon loading of the TaskSymbol ActiveX object (see https://labs.mwrinfosecurity.com/system/assets/1024/original/mwri_advisory_microsoft_office_ctasksymbol_use_after_free_cve-2015-1642.pdf for details).

As a workaround, administrators can either disable this ActiveX, or view the document in Protected-View mode. And lastly, the usual advice of avoid opening documents from unknown sources."

Any other comments?

"It's been quite some time since we last saw a big patch for MS Office. This serves as a reminder that MS Office is no less safer than other applications like IE."