Old MS Office feature can be exploited to deliver, execute malware

A Microsoft Office functionality that has been in use since the early 1990s can be exploited to deliver malicious, executable files to users without triggering widely used security software, claims security researcher Kevin Beaumont.

The feature in question is the OLE Packager, which allows content (even executable content such as .exe or .js files) to be embedded in Office documents.

Beaumont says he contacted Microsoft about this in March and shared with them that threat actors were experimenting with it in the wild (he doesn’t say how he found that out).

“At the time they asked me not to post information about the problem online. They have not addressed the problem, and believe it is a feature of Office,” he noted, and presumably finally decided to disclose the existence of the problem with the wider public.

He also provided several PoC document files that take advantage of the feature to perform actions like locking the users’ Windows workstation and swaping their mouse button functions.

“These documents are clean for all antivirus providers, and tested to pass Messagelabs, etc (other cloud based email security providers are available). I have also tested these documents on Malwarebytes Anti-Exploit and a leading behavioral endpoint product (under NDA so cannot name) – both fail to spot it,” he claims.

“Additionally, it is not flagged by Cuckoo Sandbox or Palo-Alto Wildfire sandbox. Through months of testing it has become clear that security solutions simply do not touch this issue.”

The OLE Packager cannot be disabled, he says. “If you have Microsoft EMET already deployed, add a rule for Excel, Winword (sic) and Powerpoint — it needs to be an ASR rule which denies packager.dll. Because you cannot control this on a document-by-document basis, you may break legitimate OLE Packager usage (e.g. embedding Excel documents in PowerPoint),” he advised.

Beaumont notes that Microsoft has tried to mitigate the issue in the past by making warning messages popping up when users opened risky file types, but that it hasn’t kept the list updated over the years. Also, he noted, the warning messages can be clicked through, and this is what most users usually do.

Don't miss