Jerome Segura, a top security researcher who works with Malwarebytes, has figured out a way to get around security protections in Microsoft Office by making use of an attack vector that doesn’t require macros. This comes on the heels of other researchers recently finding methods to use macro shortcuts to abuse Access databases.
By embedding a settings file into an Office document, attackers can use social engineering to get users to run dangerous code without further notifications. When the technique works, Windows doesn’t throw up any error messages. Even cryptic ones can be bypassed, which helps to hide the fact that anything’s going on.
A file format that’s specific to Windows 10 holds XML code that can create shortcuts to applets in the Control Panel. This format, .SettingContent.ms, didn’t exist in prior versions of Windows. As a result, they shouldn’t be vulnerable to this exploit as far as researchers know.
Those who’ve deployed Office using the Wine application compatibility layer shouldn’t experience problems either, regardless of whether they’re using GNU/Linux or macOS. One of the XML elements that this file holds, however, can wreak havoc with Windows 10 machines running on bare metal.
DeepLink, as the element is known, permits binary executable bundles to be executed even if they have switches and parameters after them. An attacker could call for the PowerShell and then add something after it so that they could start executing arbitrary code. If they’d prefer, then they could even call the original legacy command interpreter and use the same environment that the Windows command line has provided coders with since the earliest versions of the NT kernel.
As a result, a creative attacker could craft a document that looks legitimate and pretend to be someone else in order to get people to click a link on it. This could, for instance, get used to download cryptomining applications onto a victim’s machine.
They might also want to send a file out via a large spam campaign. Segura suggested that this should ensure classic social engineering attacks won’t be falling out of style soon. While such a file would have to be distributed to countless users in order to ensure a few would allow code execution to occur, this should be possible by disguising it as something else.