Microsoft Office CTaskSymbol Use-After-Free Vulnerability

By   ISBuzz Team
Writer , Information Security Buzz | Oct 05, 2015 11:35 pm PST

First reported to Microsoft in Feb 2015 by MWR Labs, a ‘use-after-free’ vulnerability (now identified as CVE-2015-1642) was discovered that affected Microsoft Office’s suite of desktop applications – including World, Powerpoint, Excel, and Outlook.

To exploit a ‘use after free’ (UAF) vulnerability – a type of memory corruption flaw, an attacker needs to be able to manipulate the allocation/free of memory to execute arbitrary code. The issue is that this is not too difficult as previous flaws have proved – CVE-2012-4969, CVE-2012-4792, CVE-2015-0311 and CVE-2015-5119, are all examples of such UAF vulnerabilities in Internet Explorer and Adobe Flash found to be exploited in-the-wild. In the case of this vulnerability, Microsoft Office applications were found to improperly handle the CTaskSymbol COM object in memory while parsing a crafted Office file.

This UAF vulnerability is triggered upon loading of the TaskSymbol ActiveX object. For an attacker to utilise it, they would first need to ‘trick’ a user into opening an infected document, probably through spear phishing, although there are other methods. In most cases, just opening the specially crafted document is sufficient for the attacker to then run the arbitrary code in the context of a logged-in user, unless the specific COM is killbit-ed – so not allowed to run.

Microsoft has now issued a security bulletin and, as this vulnerability was found being exploited in the wild, it is recommended that update MS15-081 is installed to prevent this UAF vulnerability without delay.

Of course, this doesn’t mean that similar vulnerabilities don’t also exist so advice to users is to always exercise caution when opening email attachments and files from other untrusted sources. For the enterprise, limit administrative accounts as those configured to have fewer user rights could also be less impacted than those who operate with administrative user rights. If the patch hasn’t been installed, for whatever reason, a workaround is for administrators to either disable this ActiveX, or view all documents in Protected-View mode.

It’s been quite some time since we last saw a big patch for Microsoft Office and this vulnerability serves as a reminder that it is no less safe than other perceived susceptible applications, such as Internet Explorer.[su_box title=”About MWR InfoSecurity” style=”noise” box_color=”#336588″]mwr_infosecrityEstablished in 2003, MWR InfoSecurity is a research-led information security consultancy, with a client list consisting of Dow Jones, NASDAQ, FTSE 100 companies and Government agencies & departments. MWR consults with clients around the world, providing specialist advice and services on all areas of security, from mobile through to supercomputers.

Central to its philosophy is the desire to deliver high quality cyber security consulting services and unsurpassed levels of support to clients. MWR’s focus is working with clients to develop and deliver a full security programme, tailored to meet the needs of each individual organisation.

MWR’s services range across professional and managed services, technical solutions and training covering areas such as security research, incident response, web defense, phishing, mobile and payment security.[/su_box]