APT attackers are increasingly using booby-trapped RTF documents, experts say
- 11 May, 2012 00:26
- Comments
Booby-trapped RTF documents are one of the most common types of malicious Microsoft Office files that are used to infect computers with advanced persistent threats (APTs), according to security researchers from Trend Micro.
"Taking data from exploit documents gathered last April, we can see that the most exploited MS Office software is MS Word," said Trend Micro senior threat researcher Ryan Flores, in a blog post on Wednesday.
The company's statistics show that 63 percent of the malicious Microsoft Office documents intercepted in April exploited vulnerabilities in Microsoft Word.
Out of those vulnerabilities, the most commonly targeted ones were CVE-2010-3333 and CVE-2012-0158, which stem from bugs in Microsoft Word's code for parsing Rich Text Format content.
RTF content can either be saved in a document with an .rtf extension, or can be embedded into a .doc file. In fact, many malicious documents that exploited CVE-2010-3333 and CVE-2012-0158 have had a .doc extension.
The fact that the 2-year-old CVE-2010-3333 vulnerability is still widely exploited in attacks today shows that companies from many industries are failing to keep their Microsoft Office installations up to date, Flores said.
This is particularly troubling because Microsoft just patched a new Microsoft Word RTF parsing vulnerability Tuesday that could allow remote code execution.
The vulnerability is identified as CVE-2012-0183 and affects Microsoft Office 2003 and 2007 for Windows, as well as Microsoft Office 2008 and 2011 for Mac OS.
Considering the attackers' rapid adoption of exploits for CVE-2012-0158, a RTF parsing vulnerability patched by Microsoft in April, it's likely that CVE-2012-0183 will also be targeted soon.
"Within a span of two weeks, CVE-2012-0158 went from zero to actually surpassing CVE-2010-3333 as the preferred exploit of attackers," Flores said. "This just shows that the time window for patching critical vulnerabilities is small, which requires due diligence and discipline on patch management by organizations."
APT attacks that use boobytrapped documents don't only target Windows users. Back in March, researchers from security firm AlienVault, analyzed an APT attack against Tibetan activists that exploited a vulnerability in Microsoft Office for Mac to install Mac malware.
"With the current interest being shown by cybercriminals in infecting Macs, it would be extremely sensible for all users of Microsoft Office on the Mac to update their systems as a matter of priority," said Graham Cluley, a senior technology consultant at antivirus vendor Sophos, in a blog post on Wednesday.
"Note that if you rely solely upon the Software Update feature built into Mac OS X it will not update the Microsoft product," Cluley said. Security patches for Microsoft Office for Mac are delivered through the program's own updating mechanism.
Related Articles
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
- Snapshot of Exploit Documents for April 2012 : Malware Blog : Trend Micro
- Microsoft Security Bulletin MS12-029 - Critical : Vulnerability in Microsoft Word Could Allow Remote Code Execution (2680352)
- Malware Infects Macs Through Microsoft Office Vulnerability : PCWorld Business Center
- What the RTF? Mac and Windows users at risk from boobytrapped documents : Naked Security
- When IT Hits The Road - Goodyear Singapore Tires
- Backup and Recovery Changes Drive IT Infrastructure and Business Transformation
- Penrith City Council Case Study - Productivity Rises as High as the Mountains
- Cloud 101
- Businesses are ready for a new approach to IT - Simplify deployment and reduce complexity using systems integrated with expertise
-
Spiceworks' free management software gets integrated MDM
-
Opinion: Why national e-health is not for everyone
-
Opinion: Why national e-health is not for everyone
-
Opinion: Why national e-health is not for everyone
-
Opinion: Why national e-health is not for everyone
-
Leading Through Connections – Insights from the Global Chief Executive Officer Study
IBM’s 2012 Global CEO study follows face-to-face discussions with more than 1,700 CEOs and senior public sector leaders from around the globe. The findings examine how CEOs are responding to the complexity of increasingly interconnected organisations, markets, societies and governments. For example, almost one-quarter of CEOs say their organisations operate below par in terms of driving value from data. CEOs have expressed frustration about their inability to capitalise on available information. This is because: “The time available to capture, interpret and act on information is getting shorter and shorter.” CEO, Chemicals and Petroleum, United States Given the need for deeper business insight, the best performing organisations are more adept at converting complex data into insights, and insights into action. Download Entire Report Now. -
Mobility Apps: What every developer should know
Learn how others have delivered industry-leading, multi-platform management and security solutions. In this whitepaper, we look how app developers can develop, deploy and manage apps that enterprises can rely on today and into the future. Click to download! -
Deploying Flash in the Enterprise
Flash is quickly emerging as the preferred way to overcome the nagging performance limitations of hard disk drives. However, because flash comes at a significant price premium, outright replacement of HDDs with flash only makes sense in situations in which capacity requirements are relatively small and performance requirements are high. Learn how deployment approaches-including hybrid storage arrays, server flash, and all-flash arrays-that combine the performance of flash with the capacity of HDDs can be cost effective for a broad range of performance requirements.
Get exclusive access to Invitation only events CIO, reports & analysis. 
