Malicious Office Documents
On very common entry point these days are malicious office documents. If you've got no idea on how interactive these "documents" can get, take the test at decloak.net (Start button). You'll get a .doc file that's performing network connections and in this case bypassing antonymization technologies.
If you use a tool like OffViz from Microsoft you can verify that the doc file doesn't exploit a file format vulnerability, but uses less known functionalities to open a remote website with MS Word, which wouldn't be proxificated like the browser.
When it comes to exploiting file format vulnerabilities, PDFs are interesting. Especially the Adobe Reader is a product that regularly fails. In order to catch Adobe's security fails, which are numerous and dangerously underestimated, it may be a wise decision to use different integrity levels on a computer thats has got access confidential information and operates as a office machine by opening documents.
Here's a great list of articles if you aren't too familiar with "Maldocs" ;).
Using Windows Integrity Control as Mandatory Access Control
Normally there neither should be any interactive PDFs in an office, nor interactive Word files. In the past security professionals advised users to deactivate JavaScript functions within Foxit Reader, Adobe of course, and other PDF viewers. Here's another technique that may come in handy later this year, because prognosis is made that declared the Adobe Reader to the most interesting target for an attacker.
Windows Integrity Control has been introduced since NT 6, which means Vista, Windows 7, Server 2008... Most companies decide whether to update from XP or not these days. At the end of the decision process they'll have to use Windows 7 or Vista for their clients because XP's support isn't continued.
WIC is a surprisingly interesting security feature. It's not known very well because focusing on attacks instead of defensive technology sells very well. - There's a wrapper to ease using these control sets.
The following command will reveal the integrity level of explorer.exe:
- icacls c:\windows\explorer.exe
- C:\windows\explorer.exe NT SERVICE\TrustedInstaller:(F)
- BUILTIN\Administrators:(RX)
- NT AUTHORITY\SYSTEM:(RX)
- BUILTIN\Users:(RX)
It's acting as a "Trusted Installer". The linked SecurityFocus article describes what this means.
The following command sets a low level integrity for the Adobe Reader. You may need to change your path the the executable. You need to do this as an administrator.
- icacls /setintegritylevel L C:\Program Files\Adobe\acrobat.exe
"L" for Low is used by default for interaction with the Internet. As long as the Internet Explorer e. g. runs in this state, aka Protected Mode, all files and processes associated with it are assigned the Low integrity level. - Some folders, such as the Temporary Internet Folder, are also assigned the Low integrity level by default. However your classified documents containing sensible data aren't! So there's no way an attacker could gain access to your classified files as long as he is unable to escalate his privileges within Adobe Reader. Which shouldn't be too easy due UAC and advanced exploit mitigation strategies introduced in NT 6.
Surely using a command-line tool to perform these policy creations isn't the common Windows administration workflow. Even the linked chml wrapper is just a command-line utility. Writing a GUI is the logical next step in order to make people adopt this feature into their security control sets.
It would have a GUI if it was an attack ;).
Have fun,
wishi
Post new comment