Tag Archives: undocumented

Undocumented Word feature could lead to system information theft

Researchers have found an undocumented Microsoft Word feature that can be abused by attackers in order to obtain the system information of a victim.

The undocumented Word feature was detailed by Alexander Liskin, heuristic detection group manager, Anton Ivanov, senior malware analyst, and Andrey Kryukov, security researcher at Kaspersky Lab. A hidden feature known only as was discovered by the Kaspersky team in malicious attachments contained in suspected phishing emails. The field contained links formatted in Unicode rather than the intended ASCII format, which are ignored by Word and are used by the attackers to send GET requests to malicious domains.

According to the researchers, targeted attacks using the undocumented Word feature can be very hard to detect because malicious documents “contained no macros, exploits or any other active content.”

“A close inspection revealed that [the malicious documents] contained several links to PHP scripts located on third-party web resources. When we attempted to open these files in Microsoft Word, we found that the application addressed one of the links. As a result, the attackers received information about the software installed on the computer,” the Kaspersky researchers wrote in their analysis. “This code effectively sent information about the software installed on the victim machine to the attackers, including info about which version of Microsoft Office was installed.”

The researchers noted that the undocumented Word feature was present in versions of Office for Windows, iOS and Android, but said other productivity suites like LibreOffice and OpenOffice did not call the malicious links. The research team also noted there is no official documentation for the field.

Avihai Ben-Yosef, CTO of Cymulate, said the system information theft could likely be just the first stage of an attack.

“[Knowing the] version of Office will allow hackers to identify whether or not the client that opened the Word document is vulnerable to known exploits that could be used to hack them. Imagine that hackers are building a database by simply sending thousands of emails to users and collecting information about those that opened the document,” Ben-Yosef told SearchSecurity. “Hackers will know if their Office version is vulnerable to a specific exploit and will be able to trigger an attack when they feel like it.”

Intelligence is king in cyberattacks as well as cyberdefense.
Marina Kidronhead of the Skybox Security Research Lab

Marina Kidron, head of the Skybox Security Research Lab, said spear phishing campaigns, like the ones abusing this undocumented Word feature, may not always present an imminent threat to an organization, this type of system information theft “could make or break a targeted attack.

“Intelligence is king in cyberattacks as well as cyberdefense. Targeted attacks are traditionally more complex than distributed attacks, such as ransomware, because they have — and need — more context on the environment they’re working in. With more context, attacks can be crafted to have better chances of evading detection,” Kidron told SearchSecurity. “This can render signature-based intrusion detection systems ineffective and raises the importance of good cyberhygiene stalwarts like network segmentation and vulnerability management. If an attack slips through the intrusion detection system, you need to be sure vulnerabilities with active or available exploits have been mitigated, access is limited and controls are in place to prevent the spread of the attack.”

Intel kill switch code indicates connection to NSA

Security researchers studying the Intel Management Engine discovered an undocumented kill switch in the code as well as references to an National Security Agency program.

Dmitry Sklyarov, Mark Ermolov and Maxim Goryachy, security researchers for Positive Technologies, based in Framingham, Mass., found the Intel kill switch that has the ability to disable the controversial Intel Management Engine (ME).

Experts have been wary of the Intel ME because it is an embedded subsystem on every chip that essentially functions as a separate CPU with deep access to system processes and could be active even if the system were hibernating or shut off.

Lamar Bailey, director of security research and development at Tripwire, said the Intel ME is “an out of band remote management interface” that is not uncommon in hardware.

“The problem happens when there are vulnerabilities in these interfaces or weak authentication issues. The remote management interface has the ability to take over and modify a system, so to many, they are seen as security risks and they are often the target of research and hackers,” Bailey told SearchSecurity. “Many organizations, both commercial and federal, disable these features due to security concerns.”

Finding the Intel kill switch

It was previously thought that the Intel ME was impossible to access or disable because, as the Positive Technologies researchers noted in their analysis, “the executable modules are compressed by Huffman codes with unknown tables,” but the researchers found a way around this.

When inspecting the Intel ME code, the researchers found a field labeled “High Assurance Platform (HAP) enable,” which is a reference to “a multi-year NSA program with the vision to define a framework for the development of the ‘next generation’ of secure computing platforms,” according to the Trusted Computing Group.

The researchers said this was essentially an Intel kill switch for the Management Engine because once that feature was enabled, “quick checks showed that ME did not respond to commands or react to requests from the operating system.” And, because the HAP feature disabled Intel ME at such an early stage of system boot, it won’t cause the ME to crash. However, the researchers couldn’t find a way to disable the Intel kill switch.

Intel did not respond to SearchSecurity’s requests for comment on this story, but a company representative did confirm the Intel kill switch was introduced under request by the U.S. government and the HAP program, but noted the “modifications underwent a limited validation cycle and are not an officially supported configuration.”

Reactions to the Intel kill switch

Bailey said any customer big enough could make a vendor consider implementing a feature like the kill switch, “no matter if they are commercial or federal.”

“If I were using these in a highly classified area or even a secure data center, I would demand these features be turned just like we disable external port like USB,” Bailey said. “It’s just another lock on the system as companies and organizations secure their data and information.”

Satya Gupta, co-founder and CTO at application security vendor Virsec, said the Intel kill switch “at the chip level may sound nefarious, it’s almost inevitable for any technology to have a reboot function if all else fails.”

“Technology backdoors are always problematic and a very slippery slope. We’ve seen this with the encryption debate — if there’s a backdoor, it will almost inevitably get in the wrong hands and become a huge liability,” Gupta told SearchSecurity. “And if the U.S. has a backdoor, should this be shared with allies? Will China demand their own backdoors to allow access to their markets?”

Philip Lieberman, president of Lieberman Software Corp., said the design of the processor “may have flaws that can be exploited by high capability attack teams, but it is doubtful that backdoors have been implemented by design.” 

“The management engine has been a work in process that deserves criticism for its lack of transparency and it has not exhibited consistent quality. I attribute lack of security and potential kill switches to poor engineering quality by Intel rather than collaboration with intelligence agencies,” Lieberman told SearchSecurity via email. “In reality, government agencies may very well be helping Intel close security holes they have inserted by mistake (the U.S. government agencies might not be evil or conniving as some might believe).