Microsoft recently announced a vulnerability in several of its products that can occur when processing TIFF image files, noting that the exploit was already occurring in the wild. Attackers emailing specially crafted Word documents that contained malformed embedded images have been infecting computers in the Middle East and South Asia.
Researchers have noted that attackers are exploiting the vulnerability in a unique way, and additional analysis from security firm FireEye has shown the attacks are more widespread than first believed, with at least two groups, dubbed Arx and Operation Hangover, actively using the exploit. Operation Hangover, a malware ring discovered earlier this year, appears to be using the attack to connect more machines to its command-and-control server network, which has been used for a variety of malicious activities. Arx’s motivation appears to be more pointedly financial, injecting computers with Citadel, a vicious Trojan generally used to access and empty bank accounts. Microsoft has issued a workaround, but the vulnerability underscores the importance of strengthening code to prevent vulnerabilities in anticipation of hackers’ resourcefulness.
A unique approach
The vulnerability, identified as CVE-2013-3906, is a heap overflow that occurs when TIFF images with user-controlled allocation and copy size are processed. A function pointer can be overwritten and used to carry out a remote code execution. To do this, the attacker must be able to control the memory layout. Both groups of attackers determined a way to do this using slightly different takes on spraying the heap memory using the ActiveX control, FireEye’s researchers noted.
“In order to achieve code execution, the exploit combines multiple techniques to bypass [Data Execution Prevention]and [address space layout randomization] protections,” Microsoft’s Elia Florio wrote in a blog post. “Specifically, the exploit code performs a large memory heap-spray using ActiveX controls (instead of the usual scripting) and uses hardcoded [return-oriented programming] gadgets to allocate executable pages. This also means the exploit will fail on machines hardened to block ActiveX controls embedded in Office documents…”
This is the first time researchers have seen the ActiveX heap-spraying exploit technique, according to McAfee’s Haifei Li, whose team first discovered the attack. Past attacks relied on Flash Player to spray memory in Office, but these have largely been stopped since a recent Adobe update.
“This is another proof that attacking technique always tries to evolve when old ones don’t work anymore,” Li wrote.
As attackers continue to look for new vulnerable components and possible vectors when old ones are found, the lesson to developers is that software security needs to be fundamental to any product being built. Using tools such as static analysis software, programmers can scan disparate components in their software and find specific pieces of code that might be susceptible to attacks.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.