Threat Intelligence

    Mimecast Discovers 3D Office Exploiter Vulnerability in MS Office

    New Mimecast research demonstrates how CVE-2020-1321 potentially impacts unpatched versions of Microsoft Office for Windows and Mac.

    by Matthew Gardiner
    gettyemail-inbox.jpg

    Editor’s note: Thanks to Mimecast Research Labs’ Menahem Breuer and Ariel Koren for this discovery.


    Mimecast has made another research vulnerability discovery within Microsoft Office, leading Microsoft to release a patch listed asMicrosoft Office Remote Code Execution Vulnerability, which addressed the vulnerability CVE-2020-1321.

    Since the vulnerability was originally discovered by Mimecast researchers and reported only to Microsoft through its responsible disclosure process - until now – this article will share more on the research and discovery. If you want to learn more about the vulnerability and of the importance of crashing an application, fuzzing, and remote code execution, read on to learn how the 3D Office Exploiter vulnerability potentially impacts unpatched versions of Microsoft Office for Windows and Mac.

    An Attacker’s Dream: Remote Code Execution

    What is the “3D Office Exploiter” vulnerability, and why should you care? One of the dreams of sophisticated cybercriminals is to find an unknown and unpatched way - known as a zero-day vulnerability - to make a system execute code how and when the attacker wants it to be executed. In other words, the attacker remotely supplies the code that the target’s machine will execute, widely known as remote code execution. From there, the malicious actor has what they need to build and launch an exploit of that vulnerability. Add to that the ability to embed the vulnerability in a common file - a Microsoft Word document or even a simple web page, for instance – and it becomes a much more powerful weapon in the hands of an attacker, as email delivery to an unsuspecting target has consistently proven to be such a successful way to land an exploit.

    3D models in Microsoft Office allow users to easily insert 3D models into any PowerPoint, Word, or Excel file and manipulate the model with built-in tools to rotate, flip, spin, pan, and zoom for ideal placement. There are several types of 3D objects and Office support: fbx, obj, 3mf, ply, stl, glb. These complex features require a lot of logic, and as 3D objects rise in popularity as they’re supported by more and more image renderers, the chance for possible bugs increases accordingly.

    In the course of ongoing research focused on Microsoft Office applications, Mimecast researchers noted they could affect the behavior of 3D charts by randomly changing the relevant inputs to the applications. This gave the researchers a clue that there was a coding error somewhere deep in the 3D library, which is widely shared and used on the Microsoft Windows platform, and could lead to hackers dependably being able to crash application that depend on it. Once a malicious actor knows how to reliably crash an application, they can then cause code to be executed on demand as a result of the crash.

    To Keep Up with Cybercriminals, Try Fuzzing

    A key technique the Mimecast researchers used to take the next step with the 3D library is known as fuzzing or fuzz testing. Fuzzing is an automated method of providing likely invalid or randomized bad data into an application, with potentially millions of iterations, to try to make the program fail or crash, while trying to process unexpected or invalid input. Such inputs increase the chance of producing edge-case handling, exposing the application to unexpected behavior normally leading to software crashes or unexpected results. Some of them might be exploitable by attackers who can create specially crafted input samples aimed for causing DDOS, sensitive information leak or even remote code execution on the host.

    Once researchers discovered the crash input data set and sequence, they neared the discovery of an exploitable zero-day vulnerability. This is because the crash sequence and the associated memory locations of Office applications are well known, giving the malicious actor an opportunity to insert code to execute immediately before the program closes out in a crash. And thus, a new exploitable vulnerability is discovered.

    Patch It, or Risk a Severe Exploit

    Given the volume of organizations around the world using Microsoft Office applications – there are roughly 1.2 billion users of Microsoft Office worldwide – it is critical that organizations implement Microsoft’s patch before this vulnerability can be exploited.

    How might it be exploited? Attackers could direct an Office file they constructed via a phishing email or even just by visiting a URL to both cause a crash as well as run their embedded code just before the program exits.

    Fortunately, although Microsoft released the patch beyond the parameters of its 90-day shared disclosure process, as of the time of this writing, there are no known exploits of 3D Office Exploiter, so organizations have a window of time when they can apply the patch and reduce their risk ahead of the cybercriminals. Because of the static file analysis capabilities of the Mimecast Secure Email Gateway with Targeted Threat Protection and Web Security, Mimecast customers are already protected against potential exploits of this vulnerability.

    The Best Defense is a Good Offense

    It is an old truism in sports that the best defense is a good offense. Whether you play hockey, football (American), football (everywhere else in the world), tennis, or really any sport where offense flows back-and-forth with defense (sorry, baseball), you will understand that a purely defensive game can leave one very vulnerable to being scored upon. A nonstop offense can eventually break a purely defensive strategy.

    This truism also applies directly to cybercriminals and cyber defenders. If cyber defenders like Mimecast sit back and only react to what the cybercriminals are doing, the defense won’t be as effective as it could be. This is why Mimecast researchers are regularly probing relevant software and systems for vulnerabilities and participating in responsible disclosure programs; we must be on a level playing field or even ahead of the attackers.

    The Bottom Line

    If exploited, this vulnerability has potentially severe ramifications. NVD (the U.S. National Vulnerability Database) rated its severity as an 8.8 out of 10, since an attacker who successfully exploited the vulnerability could potentially take control of a targeted system in the context of the running user - a compelling reason to install the patch sooner rather than later.

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top