Mimecast says its Threat Center software found the bug used in the world by a group of hackers of apparent Serbian origin. The combination allows for the malware to go undetected, leaving the user completely unaware their system is compromised. “Our detection engines spotted an attacker group, which seems to originate from Serbia, using specially-crafted Microsoft Word documents to take advantage of how Microsoft Word handles Integer Overflow errors in the OLE file format,” said Mimecast’s Meni Farjon. “The group was able to exploit this bug to circumvent many security solutions designed to protect data from infestation, including leading sandbox and anti-malware technologies.”
Microsoft Refuses to Patch
As is customary, Mimecast reached out to Microsoft with the vulnerability. Interestingly, the company won’t be fixing it at this time. Farjon said that though the behavior of OLE in Microsoft Word was unintended, it does not result in memory corruption or code execution on its own. The company is likely referring to the fact it hinges on CVE-2017-11882. This memory corruption vulnerability was patched in late 2017. Theoretically, users who have updated since then won’t be at risk from this attack. The OLE behavior is primarily used to mask the malware, rather than exploit the system directly. However, Farjon believes the OLE issue can be used with any Word vulnerability. As well as unpatched systems, attackers may be able to mask yet-to-be-found zero-day exploits. Targetting users through Microsoft Office is a favorite method for hackers. We’ve seen countless bugs making use of emailed documents, so it would help to receive clarification from Microsoft. Of course, it’s possible Microsoft will fix the OLE flaw in the future. It doesn’t appear to be a priority at this time, but that doesn’t mean the company will never fix it.