Fortinet has discovered a potential attack surface for Microsoft office via EXD file. After a malformed or specifically crafted EXD file was placed in an expected location, it could trigger a remote code execution when a document with ActiveX is opened with office applications. Type Library (TypeLib) vs Extender Type Library (EXD) A type library (described as TypeLib by MSDN) is not uncommon for people who often deal with COM or ActiveX components development as it always associated with these components. As quoted from MSDN, TypeLib are binary... [Read More]
by RSS Wayne Chin Yick Low  |  Apr 01, 2016  |  Filed in: Security Research
Tags: office 0day
Introduction Recently, we came across an unknown document exploit which was mentioned in a blogpost by the researcher @ropchain. As part of our daily routines, we decided to take a look to see if there was something interesting about the document exploit. The sample’s SHA1 used in the analysis is FB434BA4F1EAF9F7F20FE6F49C4375E90FA98069. The file we’re investigating is a Word document called amendment.doc. Understanding the vulnerability In fact, the exploit is not widely covered by AV vendors. Thus it becomes more challenging... [Read More]
by RSS Wayne Chin Yick Low  |  Aug 20, 2015  |  Filed in: Security Research
A psychologist might tell you that the way a child plays in the sandbox is a reflection of how they will act in their adult life. The same is true for malicious software, though we aren't speaking about the same sandbox. There is a growing concern among security professionals about advanced persistent threats (APTs). The problem is not new, but it is of growing importance. Now, more than ever, highly targeted attacks (often specifically crafted to beat traditional defenses) pose a significant risk to enterprise level organizations. Despite advances... [Read More]
by RSS David Finger  |  Nov 19, 2013  |  Filed in: Security 101