LAS VEGAS. There was a time when Microsoft Office documents were easily exploitable by attackers, and those days may be on the way back.
According to a pair of researcher presenting at the Black Hat conference today, Microsoft Office is still at risk, despite multiple security measure taken by Microsoft and others. Taiwanese researchers Sung-ting Tsai (who also goes by the name TT) and Ming-chieh Pan demoed multiple techniques to a live Black Hat audience as proof of concept that they could exploit documents and use them as delivery platforms for malware.
TT noted that document attachment are often used in Advanced Persistent Threat (APT) attacks since the exploit can be customized.
“If you have installed all Microsoft Office patches and there are no 0 day vulnerabilities, will it be safe to open a Word or Excel doucment?” TT asked the audience. ” The answer is no.”
The reason why the answer is no is because of hybrid document attack techniques. TT explained that in the hybrid document exploit a Flash file is embedded in Excel or Word document.
TT explained that Microsoft’s DEP (Data Execution Prevention) can potentially be disabled via a malicious Flash file. That said, he noted that DEP and ASLR (Address Space Layout Randomization) in Microsoft Windows does give attack writers a headache.
TT also noted that Microsoft has released EMET (Enhanced Mitigation Experience Toolkit) which also makes it harder to exploit Office files. But that doesn’t mean they still can’t get around those protections.
TT explained that with advanced fuzzing techniques, researchers are finding new Flash vulnerabilities that can then be leveraged in hybrid attacks agains Office files.
Adobe has also recently strengthened Flash with sandboxing capabilities to limit the ability of potential rogue processes. TT explained that with Flash sandboxing the basic idea is that if you can access the network then you cannot access local files. And if you have local access then the Flash object will be restricted for network access.
There is a way to get around the Flash sandboxing that TT demonstrated. He explained that it is possible to use an mms:// link that will trigger Windows to open IE, which in turn will cause Windows Media Player to open. Using that simple workaround, TT said that an attacker could create an attack that might be able to steal user’s cookies, passwords or other information.
As a caveat, he showed that the attack worked easily in IE 7. With IE 8 and 9, users get a dialogue box that first asked for access. TT added that he could likely create a false dialogue box to trick users to click okay.
In terms of mitigating against APT document attacks, TT said that signature based anti-virus doesn’t work. He suggest that IPS (intrusion prevention systems) could help to mitigate risk.
TT then proceed to demonstrate how some IPS systems could be defeated in order to enable the hybrid document attacks.
“We believe attackers are working hard on these topics,” TT said. “We wish security vendors will work on solutions to come out ahead of the attackers.”
Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.
Huawei’s AI Update: Things Are Moving Faster Than We Think
FEATURE | By Rob Enderle,
December 04, 2020
Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 18, 2020
Key Trends in Chatbots and RPA
FEATURE | By Guest Author,
November 10, 2020
FEATURE | By Samuel Greengard,
November 05, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 02, 2020
How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 29, 2020
Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 23, 2020
The Super Moderator, or How IBM Project Debater Could Save Social Media
FEATURE | By Rob Enderle,
October 16, 2020
FEATURE | By Cynthia Harvey,
October 07, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
October 05, 2020
CIOs Discuss the Promise of AI and Data Science
FEATURE | By Guest Author,
September 25, 2020
Microsoft Is Building An AI Product That Could Predict The Future
FEATURE | By Rob Enderle,
September 25, 2020
Top 10 Machine Learning Companies 2020
FEATURE | By Cynthia Harvey,
September 22, 2020
NVIDIA and ARM: Massively Changing The AI Landscape
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
September 18, 2020
Continuous Intelligence: Expert Discussion [Video and Podcast]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 14, 2020
Artificial Intelligence: Governance and Ethics [Video]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 13, 2020
IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI
FEATURE | By Rob Enderle,
September 11, 2020
Artificial Intelligence: Perception vs. Reality
FEATURE | By James Maguire,
September 09, 2020
Anticipating The Coming Wave Of AI Enhanced PCs
FEATURE | By Rob Enderle,
September 05, 2020
The Critical Nature Of IBM’s NLP (Natural Language Processing) Effort
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
August 14, 2020
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Advertise with TechnologyAdvice on Datamation and our other data and technology-focused platforms.
Advertise with Us
Property of TechnologyAdvice.
© 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this
site are from companies from which TechnologyAdvice receives
compensation. This compensation may impact how and where products
appear on this site including, for example, the order in which
they appear. TechnologyAdvice does not include all companies
or all types of products available in the marketplace.