Patched Flaw Suffering Attacks

Wednesday, April 25, 2012 @ 11:04 PM gHale

The vulnerability that exists in Microsoft Office and other products that use MSCOMCTL.OCX is currently suffering from exploitation with the aid of maliciously-crafted RTF, Word and Excel files.

The security hole, with the CVE-2012-0158 number, ended up patched with the April 2012 updates, but there are a lot of users who failed to apply them, giving cybercriminals the opportunity to launch malicious operations, McAfee researchers said.

Malware Beat Down: Flashback on Wane
Attack Vector: Phishing Real or Phony?
Tool to Counter Cyber Threats
Utilities Under Daily Attack

Experts found specially designed files come with a vulnerable OLE object embedded, usually sent to users via unsolicited emails.

So, how does the infection work? When the user opens the infected file, the victim sees a regular document presented as bait, but in the background, the magic happens and a nasty Trojan installs.

It all starts when the Word process opens the crafted document. The CVE-2012-0158 flaw ends up exploited and the shellcode in the OLE file triggers. This shellcode is responsible for installing the Trojan in the operating system’s Temp folder.

At this stage, the same shellcode starts a new Word process and opens the bait document, which also drops in the same Temp directory. The first process terminates and the victim only sees the legitimate-looking document.

Because in the first step the malicious element executes and only then the genuine file runs, a victim’s computer may see that Word opens, quits, and then, almost immediately, re-launches to display the bait.

To protect themselves against this threat, Internet users should apply the latest updates offered by Microsoft.

Leave a Reply

You must be logged in to post a comment.