Microsoft Word Remote Code Execution Vulnerability

January 22, 2016

Remote code execution vulnerability exists in Microsoft Office software and is caused when the Office improperly handles objects in memory while parsing specially crafted Office files. This could corrupt system memory in such a way as to allow an attacker to execute arbitrary code CVE-2015-0097.

To exploit this vulnerability the user has to be tricked into visiting the attacker's website by clicking on a link. Another scenario could be downloading and opening specially crafted MS office email attachment. Microsoft Word, Excel and Powerpoint contains a remote code execution vulnerability because it is possible to reference documents such as Works document (.wps) as HTML. It will process HTML and script code in the context of the local machine zone of Internet Explorer which leads to arbitrary code execution.

Once the user opens the office document the attacker is able to perform actions in security context of the logged in user.

In the following exploit the word document contains embedded html and script code.

When the user opens this document the code is executed. The code connects to attacker's server and downloads a file which is saved as .hta in the appdataroamingmicrosoftwindowsstart menuprogramsstartup directory.

So when the user reboots the machine this malicious file which is saved in the startup directory is executed. This allows remote attacker to execute arbitrary code via crafted office document aka "Microsoft Word Local Zone Remote Code Execution Vulnerability."

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers

  • GAV 19554 : Malformed.wps.MP.2