Analysis of the Attack Surface of

Microsoft Office from a User's Perspective

• Haifei Li (haifei.li@intel.com)
About Me
➢ Security Researcher at Intel Security (McAfee)
➢ Previously: Microsoft, Fortinet
➢ My work:
➢ Focus on Microsoft ecosystem
➢ Security research that benefits real-world
detection/defense
➢ Trying methodologies to help next-generation research
➢ Original research presented at CanSecWest (4 times), Black
Hat USA 2015, Microsoft BlueHat v16, etc.
Agenda
➢ Introduction
➢ Delivery Scenarios

➢ Risk of Uncommon Office Apps

➢ OLE Attack Surface

➢ Attack Surface of Less-Known Office Features

➢ Privacy Concerns of Office Apps

➢ Conclusion
Introduction
➢ Microsoft Office is a suite of productivity software
➢ Weare focusing on desktop applications installed on
Windows PCs
➢ Some Office apps are now on Apple Macs, too
➢ https://products.office.com/en-us/mac/microsoft-office-for-mac
➢ Office also offers mobile apps on Windows App Store,
iOS, and Android
➢ https://products.office.com/en-us/mobile/office
➢ There’s even an online version of Office
➢ Server-side software, work in browsers
➢ https://products.office.com/en-us/office-online/documents-
spreadsheets-presentations-office-online

➢ Don’t mess it up!

A User’s Perspective
➢ Inthis presentation, we are not going to talk about
traditional “memory corruption” bugs in Office
➢ We will look at Office from a higher level
➢ Instead,we will focus on the attack surface (various
attack scenarios) from a normal user’s perspective,
with the most common/default configurations
➢ How is Office-based threat delivered to the user or
organization?
➢ What has Microsoft done to protect us and what is
missing?
➢ What configurations may impact our security while using
Office?
➢ What could happen after a user opens an Office file?
➢ How big is the attack surface really?
Agenda
➢ Introduction
➢ Delivery Scenarios

➢ Risk of Uncommon Office Apps

➢ OLE Attack Surface

➢ Attack Surface of Less-Known Office Features

➢ Privacy Concerns of Office Apps

➢ Conclusion
How Are Office Files Delivered?
➢ Scenario 1: downloaded via browsers
➢ Attacker sends a link to the victim
➢ For example, in email body, IM
➢ Victim clicks the link
➢ Browser launched to download the Office file
➢ Victim opens the downloaded file
➢ Includes those who use “web email” to download
email attachments on browser
➢ Outlook Web Access for enterprise users

➢ Scenario 2: as email attachment

➢ Attacker sends an email to the victim, with the
Office file as an attachment
➢ Victim using email client opens the attachment
➢ Very common for enterprise users
MOTW and Protected View
➢ When saving a file to the local system, an NTFS
“Zone.Identifier” stream is added to the Office file
➢ Called “Mark of the Web” (MOTW)
➢ Done by the application (browser, email clients, etc.)
➢ All major browsers and email clients support MOTW
➢ Chrome, IE, Edge, Firefox, Outlook, Thunderbird
➢ Word/PowerPoint/Excel honors MOTW. When MOTW is
present, the Office file will be opened in Protected View
mode.
MOTW vs. Protected View
➢ It’s a strong sandbox to keep Office users safe
against various security and privacy risks
➢ Research from MWR Labs
https://recon.cx/2015/slides/recon2015-16-yong-chuan-koh-
Understaning-the-Microsoft-Office-Protected-View-
Sandbox.pdf
➢ With Protected View, basically all the stuff that could bring
security or privacy risks are disabled
➢ ActiveX
➢ OLE
➢ Macros
➢ Remote resource loading
➢ Etc.

➢ It’s pretty safe if users always stay in Protected View!

Are We Happy Now?
➢ Theory: Protected View should protect us all!
➢ Real world: Users get hacked by Office-based threats
➢ Office VBA macros
➢ Office vulnerability exploits
➢ Other exploits (e.g., Flash) packed as Office files
The Real World
➢ Users often click
➢ Users often ignore Office warnings

➢ Foran Office macro ransomware attack to succeed,

the victim needs to ignore two warnings
Click!

Click!
Office VBA Macros
Terrible UI Design
➢ Microsoft says: We have warned you
➢ Users reply: What?
➢ Security researchers warned about the Enable Content
button’s “one-click” problem at least by January 2012

➢ Couldn’t Microsoft design a better interface for this?

➢ We cannot just claim all users are dumb
➢ A warning that does not work for most users is not a warning
Bypassing Protected View
➢ Let’s talk about where Protected View does not work
➢ Escaping from the Protected View is hard (no exploits so
far), but what if Protected View is not there?
➢ Not escaping, but bypassing
➢ It’s
important to have a close look at the Protected View
bypassing scenarios
➢ We’re living in the real world
➢ We look at security from a real-world point of view
Browser Protected View Exceptions
➢ Most major browsers are good
➢ However, there are some exceptions
➢ When “trusted site” is set, IE will not invoke MOTW
for downloading, thus no Protected View for Office
➢ Since Nov. 2015, Dell System Detect has added
*.dell.com to trusted sites
➢ https://justhaifei1.blogspot.com/2015/11/superfish-21-
dell-system-detects.html
➢ Some browsers do not use MOTW at all
➢ Baidu Browser (confirmed on 8.6.100.3969)
How Outlook Handles Attachments
➢ Office
files delivered as email attachments are
very common, especially in the enterprise
➢ Most enterprise cyberattacks start from a malicious
email attachment

➢ Thus, it’s important to examine how Outlook

really handles attachments
➢ Not just Office files, but all file types
➢ Think as a typical user
➢ Who will click everywhere
How Outlook Handles Attachments
➢ Unsafe extension names
➢ No way to open them from Outlook
➢ .exe, .vbs, .ps1, .js

➢ For extensions considered *potentially unsafe*

➢ Additional user interactions needed
➢ “Save as” to local disk, manually open it
➢ .html, .pub
How Outlook Handles Attachments
➢ For extensions considered “safe”
➢ Double-clicking on the attachment launches application
➢ It’s important to examine such scenarios because they
pose real risks to users
➢ The “safe” extension names include:
➢ Word: .docx, .doc, .docm, .dot, .dotx, .dotm
➢ PowerPoint: .pptx, .ppt, .pptm, .pps, .ppsx
➢ Excel: .xlsx, .xls, .xlsm, .xla
➢ Picture/audio/video: .png, .jpg, .mp4, .mp3, .mkv, .avi
➢ Others: .txt, .application
Protected View in Place
➢ The
most dangerous risks exist in handling
Word/PowerPoint/Excel files
➢ However, Outlook has taken care of it
➢ With Protected View in place
➢ Word/PowerPoint/Excel attachments are opened from
Outlook with Protected View
Some Exceptions
➢ We’ve found that sometimes in domain-joined environments
Office attachments are opened without Protected View
➢ Outlook + Exchange Server, domain joined
➢ Typical environment for many organizations using Microsoft
products
➢ If the attachment is sent within the organization, no PV
➢ e.g., adam@example.com sends a .docx to bill@example.com
➢ For external senders, we’ve seen three possibilities:
➢ Attachments from all external senders are opened in PV
➢ If the external sender is a “known” address for the user, no PV
➢ Attachments from all internal senders are opened without PV
We’d like to thank Randy Zhong (@randy_zhong), Steeve Barbeau (@steevebarbeau), and
Dennis Dwyer (@dunit50) for helping us on testing these behaviors.
It’s an Expected Behavior
➢ Microsoft already knows this
➢ On client side
➢ The registry key MarkInternalAsUnsafe, when set, forces
users to open all Office files in Protected View mode
(https://support.microsoft.com/en-us/kb/2714439)
➢ On server side
➢ Admin could control the behavior on Exchange Server

➢ The default configuration is that the “same-org”

Office files will be opened without Protected View
➢ Inside threats
➢ To IT admins: run your tests, review your configs
Protected View Bypass: Uncommon File Types
➢ Earlier this year, we found the .xla extension interesting
➢ Excel add-in file
➢ Considered “safe” on Outlook; open directly via double click
➢ No Excel Protected View for this file type

➢ We found we could do the same dangerous things with

an .xla file
➢ Embed OLE objects like Flash
➢ Simply save a .xlsx or .xls as an .xla

➢ Easyto open on Outlook, can do bad things, but no

Protected View
➢ Addressed as CVE-2016-3279
➢ https://blogs.mcafee.com/mcafee-labs/patch-now-simple-office-
protected-view-bypass-could-have-big-impact
The Cloud Drive Risk
➢ We have discussed two traditional ways that
personal/enterprise users receive Office files
➢ There’s another way, especially for personal users
➢ Let’s check into Microsoft’s hotmail.com
The Cloud Drive Risk
➢ Single click on “Save to OneDrive - Personal”
➢ The file will show up in your local OneDrive, like magic!
➢ That’s how “cloud drive” products work

➢ When the user opens the file in OneDrive, there is

no Protected View
The Cloud Drive Risk
➢ Same thing on Gmail + Google Drive

➢ And on third-party “drives” connecting to email services

➢ DropBox, Box, etc.
The Cloud Drive Risk
➢ No MOTW for “cloud drive” products
➢ They were not designed for it; they don’t know where the files
come from

➢ When they connect to email services

➢ The attachment is indeed from others (a possible attacker)
➢ Online email providers are encouraging users to go this way

➢ Warning: Could be an effective way for attackers to

deliver Office-based threats
➢ Typical Windows 10 users use Microsoft account that connects
all services (email, OneDrive, Office)
➢ Could play some social engineering tricks in email body
➢ “You can view the Word content only via your OneDrive"
Agenda
➢ Introduction
➢ Delivery Scenarios

➢ Risk of Uncommon Office Apps

➢ OLE Attack Surface

➢ Attack Surface of Less-Known Office Features

➢ Privacy Concerns of Office Apps

➢ Conclusion
Office: Bigger Than You Thought
➢ Office is not Word/PowerPoint/Excel
➢ We have reviewed various PC Office offerings
➢ Including the modern way, Office 365
➢ https://products.office.com/en-us/home

➢ Many Office offerings from Microsoft will install not

only Word, PowerPoint, and Excel, but also:
➢ Publisher
➢ Access

➢ Even the “old-style” Office

2016 Professional installer
won’t let you choose apps,
you get them all
Office: Bigger Than You Thought
➢ Why do we care about all these apps?
➢ Most users face a bigger attack surface
➢ If we talk about Office security, we need to think
about problems in Publisher and Access

➢ Let’s review Publisher security

➢ Publisher seems to use only the .pub extension
Could a .pub File Be Bad?
➢ Fact 1: .pub files could contain OLE objects
Could a .pub File Be Bad?
➢ Fact 2: .pub files could contain VBA macros
➢ Real-world attacks have been seen in the wild since at
least September 2016
➢ https://moradlabs.blogspot.com/2016/09/the-case-of-
malicious-pub-file.html
➢ https://myonlinesecurity.co.uk/exxonmobile-introduction-
letter-malspam-with-macro-enabled-microsoft-publisher-
files-distribute-malware

➢ This is something new. But why a problem?

No Protected View on Publisher
➢ We now know that Protected View is an effective
protection to stop all Office threats, including macros
➢ Fact 3: But Publisher has no Protected View
➢ Microsoft does not provide this feature on Publisher

➢ May explain why bad guys have recently been

using .pub files to deliver malware
➢ Bad guys may have already known
➢ No Protected View => higher success rate
➢ If Protected View exists for Office macros, attacker needs
victim to ignore two warnings (Protected View and macros
warnings)
➢ When delivering Publisher files, victims need ignore only one!
Microsoft’s Opinion
➢ MSRC: “Feature request”

➢ We think it’s okay for Outlook (Outlook does not allow

open .pub directly), but it’s a real concern for other vectors
➢ Download .pub via browser
➢ Some email clients consider
.pub to be safe to open
➢ Mozilla Thunderbird
Conclusion
➢ The many Office offerings unnecessarily increase the
attack surface
➢ How many users use Publisher or Access?

➢ For users
➢ Do not open any .pub files unless you are sure the
sender is trusted
➢ With some tricks, it is possible to install only the Office
apps you need
➢ http://www.askvg.com/tip-customize-microsoft-office-click-to-run-c2r-
setup-to-install-selected-programs-only
Agenda
➢ Introduction
➢ Delivery Scenarios

➢ Risk of Uncommon Office Apps

➢ OLE Attack Surface

➢ Attack Surface of Less-Known Office Features

➢ Privacy Concerns of Office Apps

➢ Conclusion
OLE 101
➢ Embedding a document in another document

➢ Just by double-clicking on the “checklist” documents,

readers open another document
OLE Internals
➢ OLE provides the majority of interoperability
functions in Office
➢ Just a subset of COM

OLE

COM
➢ Two types of OLE objects
➢ In-process OLE (in-process COM), loaded via
ole32!OleLoad()
➢ Separate-process OLE (separate-process COM),
loaded via ole32!OleRun()
OLE Attack Surface
➢ Weexplained OLE internals (for in-process OLE)
and the attack surface at Black Hat USA 2015
➢ https://sites.google.com/site/zerodayresearch/Attacking_Intero
perability_OLE_BHUSA2015.pdf has been referenced by
many researchers; it has helped their research against Office-
based threats

➢ Attack vector 1: IPersistStorage::Load()

➢ CVE-2012-0158

➢ Attack vector 2: IOleObject::DoVerb()

➢ CVE-2014-4114

➢ Attack vector 3: DLL-preloading vulnerabilities caused by

CoCreateInstance()
➢ Lots of Office DLL-preloading vulnerabilities discovered
after our Black Hat talk
OLE on Outlook: BadWinmail Attack
➢ After
our Black Hat talk, we found that OLE is also
supported by Outlook

➢ A Flash OLE object can be packed as a TNEF email

OLE on Outlook: BadWinmail Attack
➢ Flash exploit runs as soon as you read the email

➢ Ideal targeted/APT attack method

➢ Targets everybody (CEO/CFO) as long as the victim reads email
➢ Wormable
➢ Spreads through emails
OLE on Outlook: BadWinmail Attack
➢ Typical Flash zero-day delivery method
➢ Attack sends an email containing a malicious link
➢ Users need to be lured to click on that link
➢ Flash exploit still needs to bypass the browser sandbox
(Chrome, IE, Edge), which is fairly hard work today

➢ With BadWinmail
➢ Exploit triggered as long as user reads email, no sandbox
➢ Pwning like a boss☺

➢ References
➢ MS15-131/CVE-2015-6172
➢ https://technet.microsoft.com/en-us/library/security/ms15-131.aspx
➢ Paper released at:
➢ https://sites.google.com/site/zerodayresearch/BadWinmail.pdf
➢ More insights in our CSW16 slides
➢ https://sites.google.com/site/zerodayresearch/BadWinmail_and_Email_Sec
urity_Outlook_final.pdf
Abusing ‘Separate-Process’ OLE
➢ When a separate-process OLE object is being initialized
➢ A new process will run (if the host process is not already
running)
➢ With a few modifications of Sandworm zero-day sample
Opening a Word File in Separate Process
Opening a PDF File in Separate Process
Think Deeper, Think Bigger
➢ The sample leverages a feature on PowerPoint to
control when to “activate” the OLE object
➢ Called Animation on PowerPoint; here is the proof

➢
Think Deeper, Think Bigger
➢ After more testing, we realized that:
➢ We could craft the persist storage data to transfer
our exploit content into the target process
➢ Open a .ppsx => run a Word/PDF exploit
➢ The Animation feature could control when to play
(activate) the OLE objects
➢ When to run the exploit
➢ We could even put many OLE objects on the slides
and control at which time each OLE object will be
activated
➢ Run different exploits one by one
➢ Like the “task schedule” feature on Windows
Bypassing ASLR via OLE
➢ Regardless of many internals, a simple fact of
ASLR is that it requires that a program stop
running (crash) when the exploit fails to bypass
the ASLR
➢ For example, if we exploit a service that will always
restart after crashing, we don’t need to consider
ASLR
➢ You could always try, but it doesn’t matter; eventually
you will succeed

➢ Inour situation, if we “feed” an exploit (Word, PDF,

etc.), even if it fails due to ASLR
➢ It does not matter: Our main program, the
PowerPoint process, will survive
Bypassing ASLR by Brute Force
➢ Something we could achieve
➢ If our exploit fails, our main program is still alive
➢ With the Animation feature on PowerPoint, we could
feed different exploits (content) at different timings
➢ 1st second => run Word exploit 1 => hit EIP 0x77661122
➢ 5th second => run Word exploit 2 => hit EIP 0x77671122

➢ Facts: most vulnerable applications in real world

are still 32-bit
➢ Office (32 bit is the vast majority)
➢ Adobe Reader (32 bit)
➢ etc.
Bypassing ASLR by Brute Force
➢ If we put a maximum 256 OLE objects on the slides,
chaining them with the Animation feature, we could
eventually “brute-force” the ntdll.dll address
➢ Alexander Sotirov and Mark Dowd’s Black Hat 2008 paper,
http://www.blackhat.com/presentations/bh-usa-
08/Sotirov_Dowd/bh08-sotirov-dowd.pdf
➢ In the real world, you do not need to try 256 times

➢ An interesting way to bypass ASLR☺

➢ Because there are various type of OLE objects in the real
world, we would not lower the universality of this technique
➢ Reported to Microsoft in July 2015
➢ MSRC recently concluded: “Won’t fix”
Agenda
➢ Introduction
➢ Delivery Scenarios

➢ Risk of Uncommon Office Apps

➢ OLE Attack Surface

➢ Attack Surface of Less-Known Office Features

➢ Privacy Concerns of Office Apps

➢ Conclusion
Office Is Really Complex
➢ Lots of features
➢ Lots of little known or unknown features

➢ Morefeatures = bigger attack surface = more

vulnerabilities, more exploitation techniques

➢ We have a good example

VBA Engine on Office
➢ Everybodynow knows the VBA engine on Office
due to macro ransomware
Digging Deeply Into the VBA Engine
➢ Do you really know how it works?
➢ How is the VBA code represented in an Office file?
➢ Several months ago, we did some digging into the VBA engine

➢ Wefound that an OLE stream named dir that contains

some info of the embedded VBA project
➢ Present in most, if not all, VBA projects
Digging Deeply Into the VBA Engine
➢ The data of the dir stream, is compressed
➢ You need to decompress it first

➢ Microsoft has released the specification, in “[MS-

OVBA].pdf”

➢ The parsing of the data of the dir stream will always happen,
regardless of the VBA macro warnings
➢ Initializing VBA env (parsing dir stream) =>
➢ Checking for macro warning =>
➢ (If ignoring the warning) VBA macro code will run
A Decompressed ‘dir’ Stream
Referenceregistered Record
Referenceregistered Record
0D 00 //Identifier, MUST be 0x000D
7E 00 00 00 //Size
61 00 00 00 //SizeOfLibid
//Libid
*\G{22222222-2222-2222-2222-
222222222222}#1.1#0#\\server\folder\test.tlb#EEEEEE
2004 Type Library

➢ The Libid field is a string, pointing to a .tlb file

➢ Suggests it is a type library file
➢ Let’s see what happens in the debugger
Debugging
Breakpoint 0 hit
eax=00436614 ebx=00436658 ecx=00000000 edx=77a86bf4
esi=0020c57c edi=76f91d4a
eip=5e2cef73 esp=0020c4d0 ebp=0020c504 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000206
VBE7!rtcFileCopy+0x1e96e:
5e2cef73 ffd7 call edi {OLEAUT32!LoadTypeLib (76f91d4a)}
0:000> du poi(esp)
00436614 "\\server\folder\test.tlb"
What Does It Mean?
➢ It calls the Windows API LoadTypeLib() to load the type
library file

➢ Hacking into the type library format

➢ It’s well known now that loading an attacker-controlled type
library file could result in arbitrary code execution, e.g., EIP
easily hijacked to 0x41414141
Loading Attacker-Controlled Type Library = RCE
➢ @Tombkeeper first discussed it in 2008–2009

➢ Attack vector: loading remote type library in VS

➢ Microsoft response: not a security issue
➢ Fortinet reported it again in Dec. 2015
➢ https://blog.fortinet.com/2016/04/01/exd-an-attack-surface-for-
microsoft-office
➢ Microsoft response: “attack vector described in the report does not
meet the bar of their service criteria”
VBA Engine Revives It
➢ Can the malicious type library be controlled by an
attacker in a typical environment?
➢ In our attack vector
➢ The process of loading the type library happens before
the check of macro security
➢ So it works even when macros are disabled
➢ Using UNC path, we could let Office load a remote
attacker-controlled type library file
➢ Initial exploit organized as Office file; type library file
hosted on attacker’s server
➢ A perfect attack vector
➢ Microsoft
response: security patch was released on this
Patch Tuesday
Some Thoughts
➢ Findingnew features is a key to exploring the overall
attack surface on Office
➢ We bet not many people knew this beforehand: the VBA
engine will try to load type libraries ahead of VBA code
runs
➢ Imagine how many features we still don’t know?
➢ Look at how many Office-related specifications Microsoft
has released
➢ Welcome to the adventure!
Agenda
➢ Introduction
➢ Delivery Scenarios

➢ Risk of Uncommon Office Apps

➢ OLE Attack Surface

➢ Attack Surface of Less-Known Office Features

➢ Privacy Concerns of Office Apps

➢ Conclusion
Privacy Concerns of Office Apps
➢ You may think opening a Word document should not
expose your IP address
➢ A lot of Office file types
➢ Word documents
➢ PowerPoint slides
➢ Excel spreadsheets
➢ ..
➢ Allow “talking” to remote
servers when handling
specific objects

➢ Blogged about it in 2013

➢ https://justhaifei1.blogspot.com/2013/10/document-tracking-
what-you-should-know.html
What Should We Do?
➢ Know the facts
➢ Word, PowerPoint, Excel (plus Publisher, Access, etc.) are not
“privacy protected” apps

➢ However, the privacy issues do not exist when you stay

in Protected View mode
➢ Protected View is a strong application sandbox on major Office
apps (Word, PowerPoint, Excel)
➢ More reasons to stay in Protected View mode if you do not trust
the sender
➢ However, so far no Protected View on apps other than
Word/PowerPoint/Excel

➢ Unlike other Office apps, Outlook is a “privacy protected”

app
➢ Just reading emails on Outlook will not expose your privacy
Agenda
➢ Introduction
➢ Delivery Scenarios

➢ Risk of Uncommon Office Apps

➢ OLE Attack Surface

➢ Attack Surface of Less-Known Office Features

➢ Privacy Concerns of Office Apps

➢ Conclusion
Conclusion
➢ The attack surface of Office is pretty big, and is highly
“environment dependent”
➢ Some vectors are due to bad interface design (macro warning)
➢ Protecting Office users should consider the whole computing
environment, even user behavior

➢ Protected View is an effective way to stop Office threats; it

should be enabled in user environments for as many attack
scenarios as possible

➢ Reduce the attack surface by removing unnecessary Office

apps, typically Publisher and Access

➢ Unlike other applications/services, Office has huge

unexplored areas, especially many unexplored features
 Thank You!

haifei.li@intel.com

• Special thanks to my colleague Bing Sun, who helped peer-review

the presentation.
• Thanks to the MSRC team and the Office security team for
working with us on various issues.