pixel_dreams - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How can embedded documents be used to attack enterprises?

A flaw in Microsoft allows attackers in through executable embedded documents. Expert Nick Lewis explains the vulnerability and how enterprises can stop it.

I read about a Windows feature that allows attackers to perform code execution in Microsoft Office, bypassing embedded executable object controls. How does this attack work? Why isn't Microsoft fixing it, and what can enterprises do to stay safe from hidden risks within embedded documents?

Backwards compatibility and legacy features are some of the most vulnerable areas of any software. Software designed with new development lifecycles and new developer tools has a better chance of being secure than software designed by new developers who still make security mistakes. Legacy code for Windows -- including many parts of Windows and the OLE embedding feature -- has plagued Microsoft since it started the push into trustworthy computing. Newly developed software has been more secure for Microsoft, but it still has insecure features it needs to support. Microsoft has not released why it was not disabling this insecure feature, but it's possible that it's because critical functionality, like basic copy and pasting, could be affected by the fix.

Kevin Beaumont announced an attack on the OLE embedding feature. The attack works because certain types of files and applications on Windows allow users to embed arbitrary files within the main file. For instance, a user could embed an Excel spreadsheet in a Word document and then use Excel to edit the spreadsheet. This provides significant functionality, but also significant complexity and risks. The embedded documents look like an icon in the Word document, but the end user needs to double-click on the icons to open or execute the embedded documents. This embedded file could be malware and, like other malware, completely compromise the security of the system. Once arbitrary code is executed on an endpoint, it is difficult to keep a system secure.

Enterprises can stay safe from embedded documents by using tools that will scan an entire file for malware and unpack or decode the multiple different ways that an executable can be included in a file. These tools could be antimalware software, Web security proxies, email security gateways or others that would need to be able to extract any executable content from a seemingly safe file type so the malware could be identified.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Check out the latest Patch Tuesday release from Microsoft

Learn more about the security features of Microsoft Azure

Find out how Microsoft just upped its game with Edge security features

This was last published in February 2016

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments