Day-Zero Attacks Against Microsoft Office Successfully Blocked

This post is also available in: עברית (Hebrew)

Kaspersky Lab’s Automatic Exploit Prevention (AEP) technology successfully blocks attacks via the recently discovered system vulnerability in Microsoft Office software. Microsoft reported knowledge of targeted attacks attempting to exploit this vulnerability.

On November 5, Microsoft issued a Security Advisory notifying users of a system vulnerability that would allow successful attackers to gain the same access rights as the current user. This vulnerability affects Microsoft Windows, Microsoft Lync, and Microsoft Office. Given the vast usage of affected programs, this software vulnerability put millions of users around the world at risk.

Kaspersky Lab has confirmed that AEP has successfully blocked any attempts to exploit this previously-unknown Microsoft software vulnerability. By monitoring for unusual behavior, and not simply relying on databases of malware that has already been detected, the value of proactive protection was proven once again.

“Behavior-based detection logic for this kind of exploitation was implemented in Automatic Exploit Prevention technology almost a year ago. Based on our research, which was conducted after the vulnerability was disclosed, first malicious attack attempts using this vulnerability happened as early as July of this year,” said Nikita Shvetsov, Deputy CTO at Kaspersky Lab.

IHLS – Israel Homeland Security

The Microsoft vulnerability, recorded as CVE-2013-3906, is a remote code execution vulnerability in the Microsoft Graphics system component. According to Microsoft: “An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.”

In their advisory, Microsoft provides immediate suggestions for a workaround solution which “does not correct the underlying issue but would help block known attack vectors before a security update is available.” The full fix for this vulnerability is expected to be issued in Microsoft’s next batch of software update patches.

This situation is a perfect example of a “window of vulnerability,” where a known vulnerability exists and is presumably being targeted by cybercriminals, but the software company is unable to issue an immediate fix. Until the fix is issued, an incalculable number of users around the world are vulnerable to cyberattacks.