This week’s patch Tuesday brought a Microsoft Word patch to fix a particularly nasty exploit used by bad guys to compromise your system.
The traditional attack progresses through eight steps:
1. Email bypasses defenses, delivered to inbox.
2. User sees email.
3. User opens email.
4. User sees attachment.
5. User opens attachment.
6. User sees active content prompt.
7. User enables active content.
8. Evil activated.
The exploit eliminated steps 6 & 7. Using the exploit, the attacker was able to install tools merely by the user opening the attachment, without the user enabling the active content. As soon as the user opens the document, the exploit permits the execution of the evil code without further user interaction. The system displays a user dialog box, but the dialog box is too little, too late — the exploit has been successfully installed and its dirty work obfuscated before the dialog box appears. Threatpost provides this example of the exploit’s final user interaction.
Even if the user selects “no”, the system has already been compromised.
Note the two unfortunate decisions the user made before the new and improved Dridex did it dirty work. At steps 3 and 5 the bad guys tricked the user into opening the email and then opening the attachment. As we wrote in Cyberattack Evolution, reinstating steps 6 & 7 does not introduce a substantial barrier to attackers — the bad guys have already mastered techniques to trick users into enabling active content. No doubt placing more steps in the process will reduce the completion rate; however, the power of spearphishing is driven by social engineering, not technical exploits. Fixing the way Microsoft products process an embedded OLE2link object doesn’t address the root problem — user deception.