New Zero-Day Malware Targets Microsoft Office, Lync Instant Messenger

UPDATED 1:15 pm ET Thursday (Nov. 7) with information about exploit being used in specific malware campaigns.

Microsoft is warning Windows users of yet another zero-day exploit spotted in the wild, this one affecting Windows Vista, older versions of Microsoft Office and some versions of Microsoft Lync instant messenger.

The zero-day — a malicious piece of software that takes advantage of a previously unknown security vulnerability, giving users zero days to prepare — exploits a flaw in the way Microsoft Office 2003, 2007 and 2010, plus Lync and Vista, handle Tagged Image File Format (TIFF) image files.

"We are aware of targeted attacks, largely in the Middle East and South Asia," wrote Microsoft Trustworthy Computing Group Manager Dustin C. Childs in an official Microsoft Security Response Center blog posting earlier this week. "The attack is disguised as an email requesting potential targets to open a specially crafted Word attachment."

A separate zero-day exploit, targeting Internet Explorer, appeared in mid-September in East Asia.

MORE: 5 Free PC Security Programs Worth Downloading

Who's at risk from the Office zero-day

All currently supported versions of Microsoft Windows — XP, Vista, 7, 8 and RT, plus corresponding server variants — are vulnerable to this exploit if they're running Office 2003 or 2007.

Because of the way Office 2010 handles TIFFs, the flaw in that version of Office only affects Windows XP, not Vista or later versions.

Unfortunately, Windows Vista is itself vulnerable to this zero-day exploit, with or without the presence of Office. (Other versions of Windows are safe without the affected versions of Office or Lync installed.)

Several versions of Lync, Microsoft's enterprise instant-messaging software, are affected on all Windows platforms for all processor architectures — Microsoft Lync 2010, 2010 Attendee, 2013 and Basic 2013.

Mac editions of Microsoft Office and Lync are not affected. Nor are users of Lync's predecessor, Microsoft Communicator, or of Microsoft's consumer instant-messaging software, MSN Messenger, Windows Live Messenger and Skype instant messenger.

How the Office zero-day attacks

The zero-day exploit uses booby-trapped Word documents attached to email messages sent to selected targets. Microsoft's official security advisory says infected documents could theoretically be sent over file-sharing services, and that the exploit could also be hidden in Web pages to trigger drive-by downloads.

In the latter case, shortened links from instant-messaging services, or social networks such as Facebook or Twitter, could lead targets to infected Web pages.

In all situations, users who are logged in with limited privileges, which block installation or modification of software, will be less affected. If the malware infects those users, it won't be able to do much.

Microsoft's advisory promises that the company "will take the appropriate action to help protect our customers," which "may include providing a security update through our monthly release process, or providing an out-of-cycle security update, depending on customer needs."

How to block the Office zero-day

Until then, users of affected software will have to take some rather complicated steps to block this exploit.

The simplest way is to install the "Fix-it" Microsoft has created, available from a special Microsoft page. It adjusts the Windows Registry to block the viewing of TIFFs.

Alternatively, skilled users accustomed to manually changing the Registry can add this line:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftGdiplusDisableTIFFCodec = 1

Most users shouldn't try to do this, as one wrong character can seriously mess up a PC.

Users who don't want to block TIFF viewing can install and configure Microsoft's Enhanced Mitigation Experience Toolkit (EMET), which allows fine-tuning of security options for almost every aspect of a Windows system.

In this case, EMET will have to be tweaked so that any of the following anti-malware features are enabled for Office: Caller, EAF, HeapSpray, MandatoryASLR, MemProt, SimExec or StackPointer. (It's not clear if this will block the exploit from affecting Lync.)

In addition, enabling Protected View or blocking ActiveX controls in Office will make it harder, if not impossible, for the malware to attack Office. (Office 2010 has Protected View switched on by default.)

Sophisticated and stealthy

The exploit employs sophisticated tricks — an active-memory "heap spray" using Microsoft's ActiveX software scripting — to evade anti-malware barriers such as address space layout randomization (ASLR) and data execution prevention (DEP). It was first spotted in the wild on Halloween (Oct. 31) by McAfee security researchers.

"This heap-spraying in Office via ActiveX objects is a new exploitation trick which we didn't see before," wrote McAfee researcher Haifei Li in a company blog posting Tuesday (Nov. 5). "Previously, attackers usually chose Flash Player to spray memory in Office."

"We would believe the new trick was developed under the background that Adobe introduced a click-to-play feature in Flash Player months ago, which basically killed the old one," Li wrote. "This is another proof that attacking technique always tries to evolve when old ones don't work anymore."

UPDATE: Later on Wednesday, security firms FireEye and Symantec disclosed that the new Office zero-day exploit was being used by two well-established groups of hackers, both active in South Asia.

One group runs the Operation Hangover espionage campaign, which was first uncovered in the spring of 2013 and appears to originate in India and target Pakistan.

Both FireEye and Symantec found links to the Hangover crew in malicious email attachments bearing the the Office zero-day, which FireEye's analysis indicates began to be used by the Hangover crew only last month.

FireEye also found that the Office zero-day is being used by a criminal crew, which FireEye calls the Ark group, to spread the Citadel banking Trojan. The Ark group started using the Office bug about a month ago and mainly targets online banking customers in India and Pakistan.

The FireEye researchers said the Ark crew had actually improved the Office exploit attack a bit, using "a slightly more clever approach to spray the same amount of memory using fewer objects in their exploit document."

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.