Microsoft warns of Office-related malware

Microsoft's Malware Protection Center issued a warning this week that it has spotted malicious code on the Internet that can take advantage of a flaw in Word and infect computers after a user does nothing more than read an e-mail. The flaw was addressed in November in a fix issued on Patch Tuesday, but with malicious code now spotted in the wild, the protection center apparently wants to be sure the update wasn't overlooked.

Last November, Microsoft released security bulletin MS10-087, which addresses a number of critical vulnerabilities in how Microsoft Office parses various office file formats. One of them is CVE-2010-3333, "RTF Stack Buffer Overflow Vulnerability," which could lead to remote code execution via specially crafted RTF data. A few days before Christmas, we received a new sample (sha1: cc47a73118c51b0d32fd88d48863afb1af7b2578) that reliably exploits this vulnerability and is able to execute malicious shellcode which downloads other malware.

The vulnerability can be triggered by utilizing a specially crafted RTF file with a size parameter that is bigger than the expected one. The vulnerability is present in Microsoft Word. It attempts to copy RTF data to the stack memory without validating the size, which will lead to overwriting the stack.

After executing the code in figure 1.10, the stack memory is overwritten by first part of the shellcode. The challenge for the exploit writer here is to make sure that the shellcode gets control and is executed. In this sample, one of the return addresses was overwritten by another address, which can be found in any known DLL loaded in the memory. That address contains a single piece of code, Jmp ESP, that transfer the control to the stack memory containing our first shellcode.