RTFs Fall Victim to APTs

Monday, May 14, 2012 @ 03:05 PM gHale

Booby-trapped rich text format (RTF) documents are one of the most common types of malicious Microsoft Office files used to infect computers with advanced persistent threats (APTs), Trend Micro researchers said.

“Taking data from exploit documents gathered last April, we can see that the most exploited MS Office software is MS Word,” said Trend Micro senior threat researcher Ryan Flores.

Security a Weak Link for States
Security First; Not in Smart Grid
Smart Meters Getting Smarter
Energy Report: Poor Smart Meter Security

The company’s statistics show 63 percent of the malicious Microsoft Office documents intercepted in April exploited vulnerabilities in Microsoft Word.

Out of those vulnerabilities, the most commonly targeted ones were CVE-2010-3333 and CVE-2012-0158, which stem from bugs in Microsoft Word’s code for parsing Rich Text Format content.

RTF content can either save in a document with an .rtf extension, or can embed into a .doc file. In fact, malicious documents that exploited CVE-2010-3333 and CVE-2012-0158 have had a .doc extension.

Just seeing the 2-year-old CVE-2010-3333 vulnerability still widely exploited in attacks today shows companies are failing to keep their Microsoft Office installations up to date, Flores said.

This is particularly troubling because Microsoft just patched a new Microsoft Word RTF parsing vulnerability that could allow remote code execution.

That vulnerability is CVE-2012-0183 and affects Microsoft Office 2003 and 2007 for Windows, as well as Microsoft Office 2008 and 2011 for Mac OS.

Considering the attackers’ rapid adoption of exploits for CVE-2012-0158, a RTF parsing vulnerability patched by Microsoft in April, it’s likely CVE-2012-0183 will also be a target soon.

“Within a span of two weeks, CVE-2012-0158 went from zero to actually surpassing CVE-2010-3333 as the preferred exploit of attackers,” Flores said. “This just shows that the time window for patching critical vulnerabilities is small, which requires due diligence and discipline on patch management by organizations.”

APT attacks that use booby trapped documents don’t only target Windows users. Back in March, researchers from security firm AlienVault, analyzed an APT attack against Tibetan activists that exploited a vulnerability in Microsoft Office for Mac to install Mac malware.

“With the current interest being shown by cybercriminals in infecting Macs, it would be extremely sensible for all users of Microsoft Office on the Mac to update their systems as a matter of priority,” said Graham Cluley, a senior technology consultant at antivirus vendor Sophos.

“Note that if you rely solely upon the Software Update feature built into Mac OS X it will not update the Microsoft product,” Cluley said. Security patches for Microsoft Office for Mac go through the program’s own updating mechanism.

Leave a Reply

You must be logged in to post a comment.