SANS ISC: Interesting Potential Attack Vector

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

One of the handlers found an interesting article on the net which raises some interesting questions and describes an interesting attack vector for the delivery of malware. 

Essentially it uses frames within word documents.  When using frames in the document you can link the content of the frame to a URL, which will be downloaded and displayed (if relevant) when the document is opened.  So this is similar to the URL links in the SPAM emails we all get.  However the email links require a click, whereas this requires you to open the document.  People nowadays are wary of clicking on links in emails, but will happily open a word document when it seemingly was sent by Aunty Joan, the boss, or someone else they know.

So in a few minutes of thinking we came up with a number of interesting uses of this feature, ranging from tracking documents being opened to malware being downloaded and installed and of course the original use as described in the article.

What to do about it?  Controls on web traffic would be  one defence, for example content scanning or URL blocking.  The payload has to be delivered, so if web traffic is controlled the risk is reduced.  To prevent email delivery, block word documents.  I know a number of sites where this is the norm and it works for them.  But still one of the best defences is an informed userbase, so awareness training.

Other products may have similar issues, so be aware.

The article can be found here.

Mark Hofman
ISC Handler On Duty
shearwater.com.au