Thursday, March 17, 2011

Microsoft SRD: Blocking Exploit Attempts of the Recent Flash 0-Day

Via Microsoft SRD Blog -

We’ve recently become aware of a new exploit in the wild targeting a 0-day vulnerability in Adobe Flash Player. This exploit differs from the typical Flash Player attacks we’ve seen where a victim is lured into browsing to a website hosting malicious Flash content. Instead, these attacks involve a malicious Flash .swf file that is embedded into a Microsoft Excel document and then sent to a victim via email.


First, customers using Microsoft Office 2010 are not susceptible to the current attacks. The current attacks do not bypass the Data Execution Prevention security mitigation (DEP). Microsoft Office 2010 turns DEP on for the core Office applications, and this will also protect Flash Player when it is loaded inside an Office application. In addition to that, users of the 64 bit edition of Microsoft Office 2010 have even less exposure to the current attacks as the shellcode for all the exploits we’ve seen will only work on a 32 bit process. What’s more, if an Office document originates from a known unsafe location such as email or the internet, Office 2010 will activate the Protected View feature.


For users who want additional protections as well as users of Microsoft Office prior to 2010, the Enhanced Mitigation Experience Toolkit (EMET) can help. Turning on EMET for the core Office applications will enable a number of security protections called security mitigations. The exploits we’ve seen so far are broken by three of these mitigations: DEP, Export Address Table Access filtering (EAF), and HeapSpray pre-allocation. EMET is of value even to Microsoft Office 2010 as it has the first of the three enabled by default, but does not have the second or third ones.

To be protected by EMET, there are a few steps you need to follow. You first need to download the tool, install it, and then finally configure it to protect an application. It’s a good idea to configure EMET to protect not just Excel, but all of the Office applications as even though the attacks we’ve seen only target Excel, Flash Player can also be hosted in other Office applications as well.


Since Flash Player can also be hosted in a web browser, you may wish to turn on EMET for the browser you use. This can be done by adding the browser executable to the list of protected applications per the above steps. In general it is a good idea to utilize a browser that opts into DEP by default such as Internet Explorer 8 and 9 (as well as several third party browsers).

Beyond EMET, there is a workaround that Office 2007 users can use to prevent the Flash Player (as well as other ActiveX controls) from loading inside an Office application. This is done by changing the ActiveX setting in the Trusted Center to “Disable all controls without notification”....

The ActiveX setting in the Trust Center can also be set via group policy or registry. For more information, please refer to “Security policies and settings in the 2007 Office system”. As a final note, please be aware that the setting has the potential to break add-ons for Microsoft Office. It is a good idea to test any add-ons you use before making this change too widely.


For those interested in the Office 10 sandbox, check here - it’s basically the next generation of MOICE.

Sadly, not everyone is running Office 10, so If you are running Office 2003 or 2007, I would recommend installing the Microsoft Office Isolated Conversion Environment (MOICE) -

MOICE takes a potentially risky binary file type and convert it within a sandboxed process to the new XML format (much safer) and then back to the binary format and opens it. The hope of doing this conversion was to remove any exploit code that was hidden away within the file.

No comments:

Post a Comment