This got beamed into my head through a LinkedIn post a couple of weeks ago. The poster had wanted a more authoritative response to the question, “Can opening Microsoft Word documents cause an infection without Macros?”.
Yes, you can get infected without having Macros. Apple, Microsoft, and Linux have all been dealing with image exploitations for over a year now. These consist of specially crafted images with embedded code that is executed by the O/S. This has resulted in ongoing patch efforts by all of these vendors. Apple has to deal with it’s IOS, Safari, and Text Messenger. Apple users, please note that “immunity through obscurity” no longer applies to you. I’d say about 20% of all spam I tracked last year came from infected iPhones. A simple text MMS mesage with an image is all it took; you didn’t even have to click on anything. Microsoft has to had to deal with it’s many O/Ses, Internet Explorer variants, the Edge browser, Office products, and Skype/Lync/SharePoint. Google and Mozilla have made patches in their cross-platform browsers as well. So have the Opera browser folks. Last week’s Patch Tuesday updates contained Critical updates relative to their GDI (Graphics Device Interface) libraries, IE and Edge browsers, the XML libraries (instant messaging usually), and support libraries for Adobe Flash. In other words, the seemingly non-ending image rendering problems that have plagued them. Microsoft released Important updates affecting Hyper-V, OLE (Object Linking and Embedding), HTTP libraries, some authentication libraries, and a potential memory corruption problem with Office products. All told, about 46 patches across all of the various MS affected products. Later last week Adbobe, as is their norm, released 7 Critical patches for their Flash product.
The issue that Jason is referring to, I believe, pertains to the rendering of RTF formatted documents by Office Word. Emails have been going around with what looks like a standard Word .doc attachment, but is really a malicious RTF file. Rich Text Format (RTF) is an open standard that pre-dates all Office products. You don’t see much of it these days, but some EMRs and older automated software systems still render RTF documents. Now, despite Privacy Center warning messages that pop-up stating that the “document contains links to external sources”, users *could* click through and infect themselves with a banking trojan. These little buggers steal your bank login credentials. I can assure you that nothing good will come of that 🙂 Now really, with some due diligence by the user (viewing source, etc.) you can tell that this is a RTF (Rich Text Format) file, not the DOC/DOCX file that was advertised. Of course, in today’s age of instant gratification, who has time for that? In Microsoft’s security bulletin feed, they assert that there are no active exploits but that is simply not the case.
As for authoritative sources, I’m pretty damned good. However, I will provide these additional references:
1) Brian Krebs: https://krebsonsecurity.com/2017/04/critical-security-updates-from-adobe-microsoft/
2) Browsers: https://technet.microsoft.com/en-us/library/security/MS16-037
3) GDI: https://technet.microsoft.com/en-us/library/security/MS17-013
4) Office: https://technet.microsoft.com/en-us/library/security/MS17-014
5) DirectShow: https://technet.microsoft.com/en-us/library/security/MS17-021
Now as an engineer, would I issue a “stop ship” or a “stop using” directive? Probably not. As usual, use due diligence and good judgement. But if one flitters about willy-nilly with sending and receiving Office files, they should not be surprised if one of them slaps them in the face.