Microsoft engineers have neutralized a series of attacks that took control of targeted computers by exploiting independent vulnerabilities in Word and Windows. Remarkably, the software maker said fixes or partial mitigations for all four security bugs were released before it received private reports of the attacks.
Both versions of the attacks used malformed Word documents that were attached to phishing e-mails sent to a highly select group of targets. The malicious documents chained together two exploits, one that targeted flaws in an Encapsulated PostScript filter in Word and the other that targeted elevation-of-privilege bugs in Windows so that the attack could break out of the security sandbox that fortifies Office. Encapsulated PostScript is an old format that’s rarely used any more.
One version of the attacks combined an exploit for a Word EPS flaw designated as CVE-2017-0261 with an exploit for CVE-2017-0001, a Windows privilege-escalation bug. By the time Microsoft received a private report of ongoing attacks in March, the company had already released a partial fix as part of its March Update Tuesday release. A second attack version exploited an EPS flaw indexed as CVE-2017-0262 in combination with CVE-2017-0263, a separate Windows privilege-elevation flaw.
Microsoft said it detected the attacks in mid-April, but, by then, customers were already protected by a defense-in-depth release that blocked the location where the vulnerable EPS code was stored.
Microsoft didn’t explain how it managed to thwart the attacks before it received word of them. In a blog post published Tuesday, company officials thanked security firms FireEye and Eset for their help in fixing the bugs. The post went on to say that fixes released as part of May’s Update Tuesday installment further address the vulnerabilities. The officials wrote:
Through the Microsoft Active Protections Program (MAPP), partners separately alerted us to closely related, targeted attacks. These attacks both used malformed Word documents to ensnare their targets through carefully crafted phishing mails intended for a very select audience. Both attacks were comprised of multiple vulnerabilities including a remote code execution flaw in the Encapsulated PostScript (EPS) filter in Office and a Windows elevation of privilege to elevate out of sandbox protections in Office. EPS files are a legacy format that has largely fallen out of favor in today’s ecosystem. For that reason, in April 2017, we released a defense-in-depth protection that turned that code path off by default for all customers. Customers who installed the cumulative update for Office last month have mitigated the attacks described below.
1. A Word EPS + Windows Elevation of Privilege (EoP) (CVE-2017-0261 + CVE-2017-0001)
This attack was reported to us in late March; however, customers were already protected by the March updates. Today, to fully address the EPS vulnerability and further protect the small number of customers who may choose to continue using the EPS filter, we released an update to address the Encapsulated PostScript vulnerability.
In terms of activity, we’ve seen a limited number of targeted attempts to use this method, which is no longer valid.
2. A Word EPS + Windows EoP (CVE-2017-0262 + CVE-2017-0263)
Microsoft detected this attack in mid-April; however, customers were already protected by the April defense-in-depth update (noted above) that broke the attack chain by turning off the EPS filter by default. Today, we are releasing further updates to address the underlying filter vulnerability and the elevation of privilege vulnerability in this attack.
In terms of activity, we’ve seen a limited number of attempts to use this method, which is no longer valid.
It’s not the first time this year that Microsoft has released patches with extremely fortuitous timing. As part of its March Update Tuesday, Microsoft released MS17-010, an update that immunized computers against several critical Windows vulnerabilities. Exactly one month later, a mysterious group that calls itself the Shadow Brokers published highly weaponized hacking tools that exploited some of those patched bugs. The March fixes came four weeks after Microsoft canceled its February Update Tuesday, something the company has never done before. Microsoft has yet to comment on the timing of the MS17-010 update or say if company officials received advanced word of the Shadow Brokers release plans.
In a blog post published Monday, researchers from security firm Rendition Infosec called on Microsoft to disclose if “telemetry” data collected from system crashes and other customer usage showed if any of the exploits were exploited in the wild prior to being released by Shadow Brokers in April.
“This whole event poses several questions that are valuable to the public interest and can help drive public policy around the vulnerability equities process,” Rendition Infosec researchers wrote. “It is fairly certain (and understandable) that NSA will not be releasing information about the exploits patched in MS17-010. However, Microsoft has no such national security issues inhibiting such a disclosure.”
In their own blog post published Tuesday, FireEye researchers said the attacks Microsoft disclosed Tuesday were carried out by two hacking groups tied to the Russian government, as well as a separate, financially motivated attack group. According to the post:
At the end of March 2017, we detected another malicious document leveraging an unknown vulnerability in EPS and a recently patched vulnerability in Windows Graphics Device Interface (GDI) to drop malware. Following the April 2017 Patch Tuesday, in which Microsoft disabled EPS, FireEye detected a second unknown vulnerability in EPS.
FireEye believes that two actors–Turla and an unknown, financially motivated actor–were using the first EPS zero-day (CVE-2017-0261), and APT28 was using the second EPS zero-day (CVE-2017-0262) along with a new Escalation of Privilege (EOP) zero-day (CVE-2017-0263). Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities. The unidentified financial group targeted regional and global banks with offices in the Middle East. The following is a description of the EPS zero-days, associated malware, and the new EOP zero-day. Each EPS zero-day is accompanied by an EOP exploit, with the EOP being required to escape the sandbox that executes the FLTLDR.EXE instance used for EPS processing.
The malicious documents have been used to deliver three different payloads. CVE-2017-0261 was used to deliver SHIRIME (Turla) and NETWIRE (unknown financially motivated actor), and CVE-2017-0262 was used to deliver GAMEFISH (APT28). CVE-2017-0263 is used to escalate privileges during the delivery of the GAMEFISH payload.
Eset provided its account of the exploits here.
It’s possible that the timing of updates—coming just ahead of or at roughly the same time as reports of in-the-wild exploits—is a lucky coincidence or even a testament to Microsoft’s proactive defenses. But it also seems possible the company somehow got advance warnings that haven’t been disclosed.