pixel_dreams - Fotolia
I read about a Windows feature that allows attackers to perform code execution in Microsoft Office, bypassing embedded executable object controls. How does this attack work? Why isn't Microsoft fixing it, and what can enterprises do to stay safe from hidden risks within embedded documents?
Backwards compatibility and legacy features are some of the most vulnerable areas of any software. Software designed with new development lifecycles and new developer tools has a better chance of being secure than software designed by new developers who still make security mistakes. Legacy code for Windows -- including many parts of Windows and the OLE embedding feature -- has plagued Microsoft since it started the push into trustworthy computing. Newly developed software has been more secure for Microsoft, but it still has insecure features it needs to support. Microsoft has not released why it was not disabling this insecure feature, but it's possible that it's because critical functionality, like basic copy and pasting, could be affected by the fix.
Kevin Beaumont announced an attack on the OLE embedding feature. The attack works because certain types of files and applications on Windows allow users to embed arbitrary files within the main file. For instance, a user could embed an Excel spreadsheet in a Word document and then use Excel to edit the spreadsheet. This provides significant functionality, but also significant complexity and risks. The embedded documents look like an icon in the Word document, but the end user needs to double-click on the icons to open or execute the embedded documents. This embedded file could be malware and, like other malware, completely compromise the security of the system. Once arbitrary code is executed on an endpoint, it is difficult to keep a system secure.
Enterprises can stay safe from embedded documents by using tools that will scan an entire file for malware and unpack or decode the multiple different ways that an executable can be included in a file. These tools could be antimalware software, Web security proxies, email security gateways or others that would need to be able to extract any executable content from a seemingly safe file type so the malware could be identified.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Check out the latest Patch Tuesday release from Microsoft
Learn more about the security features of Microsoft Azure
Find out how Microsoft just upped its game with Edge security features
Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading