09 January, 2019

Understanding the security implications of the latest patched Microsoft Office product memory leak vulnerability

by Matthew Gardiner, cybersecurity strategist at Mimecast

What happens when you combine sophisticated anti-phishing attachment inspection, static file analysis, machine executable code in data files, customer reports of false positives, Microsoft Office suite, ActiveX controls and a bit of serendipity? The discovery of an important newly-patched vulnerability with Microsoft Office products!

This newly-patched vulnerability in Microsoft Office products—discovered by the Mimecast Research Labs team—has very likely created the widespread, unintended leakage of sensitive information in millions of previously created Office files. However, Mimecast is not aware of any actual exploit of this vulnerability.

This vulnerability was classified as “Important” by Microsoft, which means it could result in the “compromise of the confidentiality, integrity, or availability of a user’s data, or of the integrity or availability of processing resources.”

This is reminiscent of the Heartbleed vulnerability disclosed in 2014 in the OpenSSL cryptographic library, which enabled the widespread unintended disclosure of the memory of the host on which the unpatched version of the library ran.

Microsoft has recently released a security patch for this vulnerability. We encourage all users of the Microsoft Office product to deploy this patch as soon as possible. To learn more about the vulnerability and the technical method we used in its detection, please check out this Mimecast technical whitepaper.

How Mimecast discovered this Microsoft vulnerability

Now for the backstory! In early November of 2018, Mimecast Research Labs, was investigating what we thought of at the time was a run-of-the-mill false positive malware detection claim from one of our email security customers. In the normal course of business, Mimecast receives reports from customers of false positive detections of phishing attacks, some of which include the detection of files suspected of being malicious.

The investigation of a purported false positive malware file quickly turned out to be something quite different. This investigation led the team to discern that Microsoft Office product had a memory leak, and not just a garden-variety memory leak that just consumed too much system memory, but one that could lead to the unintended disclosure of information for any unpatched Microsoft Office suite instance using ActiveX controls.

On deeper examination of the submitted files, the Mimecast team discovered that they did in fact contain machine executable code, generally a security concern in a data file such as the Microsoft Word solution. This existence of machine executable code in a data file is generally a key indicator of a potential exploit. But in this case the machine executable was only a fragment and thus not malicious. Further investigation led to the conclusion that Microsoft Office files that included ActiveX controls were consistently causing memory leaks.

In fact, this memory leak leads to the permanent writing of memory content into different Microsoft Office files and thus, the potential for the unintended leakage of sensitive information and local machine information. If known, this is the type of data could be useful to cybercriminals for executing a malware-enabled, remote execution attack and at least as important—to steal sensitive information. The Mimecast team has evidence of this leak in documents dating years back. Some documents were even found online containing sensitive user information.

What are the security implications of this vulnerability?

We believe that once the patch is applied those patched systems will no longer be vulnerable to this information leak vulnerability. That is the good news. However, what about the millions of Office files that have been created to date by vulnerable Microsoft Office versions that now have random bits of potentially sensitive information in them? If these files are currently available on the public internet they would be available for harvesting and analysis by anyone. We would suggest perhaps removing them or resaving them with a patched version of Microsoft Office.

One thing that the detection of this vulnerability shows is that diligent investigations even of false positives can lead to important security discoveries!

Microsoft Security Response Center correspondence timeline

Nov. 6, 2018 – Reached out to Microsoft Security Response Center (MSRC) with information and reproduction instructions.

Nov. 7, 2018 – MSRC Case 48359 opened.

Nov. 8, 2018 – MSRC successfully reproduce the issue.

Dec. 12, 2018 – MSRC notifies that this issue will be fixed with CVE in January security patch.

Jan. 8, 2019 – Patch is deployed with CVE-2019-0560.