Kaspersky Lab’s Technology Proactively Blocks Attacks via Zero-Day Vulnerability in Microsoft Office

Kaspersky Lab logo14th November 2013

Kaspersky Lab’s Automatic Exploit Prevention (AEP) technology successfully blocks attacks via the recently discovered system vulnerability in Microsoft Office software. Microsoft reported knowledge of targeted attacks attempting to exploit this vulnerability.

On November 5, Microsoft issued a Security Advisory notifying users of a system vulnerability that would allow successful attackers to gain the same access rights as the current user. This vulnerability affects Microsoft Windows, Microsoft Lync, and Microsoft Office. Given the vast usage of affected programs, this software vulnerability put millions of users around the world at risk.

Kaspersky Lab has confirmed that AEP has successfully blocked any attempts to exploit this previously-unknown Microsoft software vulnerability, keeping company’s customers safe from targeted attacks and other emerging threats that may have leveraged this weakness. By monitoring for unusual behavior, and not simply relying on databases of malware that has already been detected, Kaspersky Lab’s Automatic Exploit Prevention has once again proved the value of its proactive protection.

“Behavior-based detection logic for this kind of exploitation was implemented in Automatic Exploit Prevention technology almost a year ago. Based on our research, which was conducted after the vulnerability was disclosed, first malicious attack attempts using this vulnerability happened as early as July of this year. We think it is a significant achievement that our products successfully protect our clients long before the public announcement of the existence of the vulnerability,” said Nikita Shvetsov, Deputy CTO (Research) at Kaspersky Lab.

The Microsoft vulnerability, recorded as CVE-2013-3906, is a remote code execution vulnerability in the Microsoft Graphics system component. According to Microsoft:

“An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.”

In their advisory, Microsoft provides immediate suggestions for a workaround solution which “does not correct the underlying issue but would help block known attack vectors before a security update is available.” The full fix for this vulnerability is expected to be issued in Microsoft’s next batch of software update patches.

This situation is a perfect example of a “window of vulnerability,” where a known vulnerability exists and is presumably being targeted by cybercriminals, but the software company is unable to issue an immediate fix. Until the fix is issued, an incalculable number of users around the world are vulnerable to cyberattacks.

Kaspersky Lab’s Advanced Protection from Software Flaws

For years, Kaspersky Lab experts have published research data about the growth of software exploits, which are malicious programs that target vulnerabilities in widely-used legitimate software. Vulnerabilities that have been discovered by cybercriminals, but not by the software maker, are known as Zero-Days. Recognizing this trend in cybercrime, Kaspersky Lab responded by designing Automatic Exploit Prevention, a unique technology that was built entirely by Kaspersky Lab’s internal team of experts.

Put simply, Automatic Exploit Prevention monitors the system for behaviors commonly performed by malicious exploits, and pays particular attention to commonly-targeted software. This technology, which is now available in Kaspersky Lab’s B2B and B2C security solutions, performs a number of different functions to block exploits, including tracking the origin of software that is attempting to launch, and monitoring the behavior of existing programs prior to running new software. This proactive monitoring is combined with the use of Forced Address Space Layout Randomization (ASLR), which randomizes image base of loaded or loading module and prevents attacks from finding their target. For more information on how Kaspersky Lab’s AEP technology works, please read our whitepaper.

Kaspersky Lab’s researchers continue to pay close attention to software vulnerabilities and their impact on IT security. In October 2013, the company released a highly-detailed report on the evolution of exploits in Java software from 2012-2013. The report listed more than 160 Java vulnerabilities identified over the course of the year, and these vulnerabilities were attacked by exploit malware more than 14 million times including a then-unknown Zero-Day vulnerabilities that were used in the Icefog cyberespionage campaign.

For more information about Kaspersky Lab’s award-winning security technologies, please browse our whitepapers library.