Experts have found illegal function MS Office

Office Suite collects data on its users without telling them about this process.

electrostatic experts “Kaspersky Lab” found in MS Office methadonemaintenance function, which allows attackers to collect data about the target system by simply sending the victim a specially formed Microsoft Word document, with no active content: VBA macros, embedded Flash objects or executables. A function present in Microsoft Word for Windows and mobile versions of Microsoft Office for iOS and Android. LibreOffice and OpenOffice don’t support it.

According to the researchers, the functionality is already being exploited by hackers in the framework of multi-stage attacks Freakyshelly, the first stage which involves the collection of data on the target system. The study of this attack, the experts detected phishing newsletters that contained some interesting attachments as files in OLE2 format, which did not contain any macros, no exploits, or any other active content. Upon closer inspection, it turned out that the file included a number of links to PHP scripts located on external websites. When you try to open files in MS Word, the application can send a GET request on one of the links, as a result, attackers obtained the data about the installed system software.

The analysis of the document revealed the INCLUDEPICTURE field, stating that certain text is tied to the picture, however, the attacker used it to place suspicious links. The problem is that Microsoft documentation for a description of the INCLUDEPICTURE field is practically absent. In the ECMA-376 standard describes only part of the INCLUDEPICTURE field to one byte delimiter and there is no information on how to interpret the data after it, and how to interpret, experts said.

© 2017 – 2019, paradox. All rights reserved.