pFragments Microsoft Office exploit resurfaces again

News by Steve Gold

A Microsoft Office exploit - CVE-2010-3333, which was first discovered around 18 months ago - is reportedly now being used once again to attack business users of the popular application suite.

The attack vector was used to great effect in November 2012 to attack NATO's Special Operations Headquarters and is a stack-based buffer overflow linked to the Microsoft RFT (Rich Text Format) parser.

In its original analysis of the exploit, Rapid7 said that it exploits a stack-based buffer overflow in the handling of the 'pFragments' shape property within the Microsoft Word RTF parser.

“All versions of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the MS10-087 bulletin are vulnerable,” said the company, adding that the code  does not attempt to exploit the vulnerability via Microsoft Outlook.

“The Microsoft Word RTF parser was only used by default in versions of Microsoft Word itself prior to Office 2007. With the release of Office 2007, Microsoft began using the Word RTF parser, by default, to handle rich-text messages within Outlook as well,” the firm notes in its analysis.

According to Commtouch, meanwhile, CVE-2010-3333 has now resurfaced owing to the fact it is relatively simple to exploit and users have still not applied the MS10-087 update that solves the problem.

"As of this writing, the exploit samples we've seen this month dismantle the structure of ‘pFragments' in the RTF in order to avoid being detected," says Lordian Mosuela, a security researcher with the Israeli security vendor, in his analysis of the latest campaign.

The solution to the issue, says the firm, is to keeping antivirus definitions up to date and applying the latest Microsoft Windows and Office updates.

Steve Smith, managing director with Pentura, the security consultancy, agreed this strategy.

"Targeting unpatched vulnerabilities is simply a numbers game - attackers know that in the few days following a patch being issued, a majority of organisations will apply it," he said, adding that this still leaves a large number of firms that haven't applied the patch.

"As we saw with the Heartbleed issue, it can take time for companies to bring their systems up to date. And as more time passes after the patch has been issued, the less likely it is to be applied," he explained.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews