News

US-CERT and Microsoft Team To Deliver Guidance on Office Malware

• By Kurt Mackie
• 06/16/2016

New info has been released on a popular tactic being used to spread malicious files through Office documents.

This tactic uses the Object Linking and Embedding (OLE) capability of Microsoft Office documents to perpetuate an attack. This method isn't prevalent so far. There has been "a steady decline" in such attacks since its discovery in late May, Microsoft indicated, in its announcement.

OLE Attacks
Under this OLE attack scenario, users get a Word document with instructions to follow. Typically, the instructions try to get the user to activate an object embedded in the document by clicking on it, which typically activates a malicious JavaScript or a Visual Basic script. The user might be told to double click on the object in order to unlock the document's content, for instance.

The scripts, when executed, typically drop malware, such as "TrojanDownloader:VBS," Microsoft noted.

IT pros can modify the Windows registry to block OLE package activation. They can opt to disable objects from activating, which will block script execution by end users. Microsoft lists the steps to carry that out in this support article, although it references Office 2007.

Microsoft attributed the appearance of these OLE attacks to better Office security precautions against the similar use of macros to conduct such attacks. However, that view isn't the way the United States Computer Emergency Readiness Team (US-CERT) sees it. For US-CERT, there's been a recent "resurgence" of Office macro attacks. It issued a warning to that effect this month.

Macro Attacks
This resurgence of Office macro attacks is all Microsoft's fault, according to US-CERT. Microsoft has made its Office macro warnings more confusing for end users ever since the release of Office 2010. The user interface changes in the software are to blame, according to analysis by the CERT/CC blog. Attackers are now using social engineering techniques to try to get users to enable macros by clicking on the "Enable Content" button, which is less descriptive than past warnings Microsoft has produced. Enable Content actually turns on macros in Office documents.

"The default behavior of Microsoft Office has usually allowed for inadvertent execution of malicious macros, but recent versions of Microsoft Office make it much easier for the user to make the wrong decision," the CERT/CC blog stated.

US-CERT recommends restricting access to macros in Office, which can be done by making Registry changes. Office 2016 and Office 365 have a simpler option by opting to block macros in "documents that originate from the Internet," as described here. US-CERT recommends blocking macros "without notification" to the end user for the older Office editions.

Microsoft Office for Mac 2016 apparently doesn't have an option for disabling macros, the CERT/CC blog noted.