Protected View is a security feature of Microsoft Office. According to research from MWR Labs, Protected View mode is a strong application-level sandbox. In a real-world attack scenario, Office documents from the Internet, such as downloaded documents from browsers (Chrome, Edge, Internet Explorer), or attachments received on emails clients (such as Outlook), are opened by default in Protected View mode, which offers the first line of protection against various Office-based attacks.
Many exploits are delivered in Office file formats. For example, the Hacking Team was found to have embedded Flash zero-day exploits into Office documents for a long time. This trick was also used in the recent Flash zero-day attack (CVE-2016-4117). However, if we look closer at the attack scenario, this exploit-delivering method usually fails thanks to Protected View. When the “from the Internet” document is opened, Protected View blocks the running of the embedded exploit, and a warning tells the user telling it is safer to stay in Protected View. (We strongly recommend users not ignore the warning unless they really need to edit the file.) See the following screen:
We have been working with the Microsoft Security Response Center during the past several months to address an Office Protected View bypassing bug (CVE-2016-3279) we found. Today, now that Microsoft has finally released a patch, we will discuss the details to offer better detection and defense for the community.
The attack is quite simple and the exploit can be packed as a .xla file type, an Excel add-in. We found that when a .xla file from the Internet is opened, Protected View does not activate. In other words, Excel uses its normal mode to open the file (probably because Excel considers that .xla files cannot cause harm). Unfortunately, however, the .xla format can contain many types of potentially malicious contents, typically ActiveX or OLE objects, just as other well-known formats such as .docx or .xls.
The following screen shows what happens when the user opens a Flash-embedded .xla file downloaded from the Internet. The “Zone.Identifier” Alternate Data Stream is set (marking the file as from the Internet), but the Flash binary is still loaded into the Excel process, which suggests the Protected View sandbox is not activated. (This version of Excel is running at the Medium integrity level.)
Thus an an attacker can bypass the first line of protection just by saving an Office exploit as an .xla file.
For your defense, we highly recommend that every Office user—whether at work or at home—install the official patch as soon as possible. Our NIPS signature, “0x451bce00—Microsoft Office XLA File Handling Remote Code Execution (CVE-2016-3279),” can detect such an attack. Users who download or receive an .xla file from untrusted sources should be extremely careful before opening the file.
Thanks to my colleague Bing Sun for his help with this post.