14 DAY TRIAL // During yesterday's Patch Tuesday security update, Microsoft fixed a vulnerability in the Office Suite that allowed an attacker to bypass one of the product's security features called Protected View.
In the real world, Protected View is one of the most crucial and useful security features Microsoft has ever added to the Office Suite.
This feature is basically a sandbox that runs Office documents in a limited environment. Protected View intervenes when the user opens an Office file from the Internet, and it is turned on by default.
The feature is incredibly useful when opening attachments received via email, which may sometimes contain viruses.
Protected View bypass leaves the door open for OLE and macro exploits
Protected View works by blocking all dynamic content embedded in the file and allowing the user to read the file. If the user needs to edit the file, they can then click the "Enable Editing" button, which lets them make modifications to the document but also unleashes all dynamic content, such as scripts or embedded OLE objects.
Both scripts (macros) and OLE objects are known to deliver vicious exploits that can sometimes grant the attacker full control over infected devices.
McAfee (Intel Security) experts have discovered a simple method of bypassing automatic Protected View activation for files opened from the Internet.
Protected View bypass uses Excel add-in files
The trick is to save the malware-laced file as an Excel add-in (.XLA files). Protected View won't activate by default for XLA files, and if crooks embed ActiveX or OLE objects inside these add-in files, they can automatically trigger the exploit without any subsequent user interaction.
Microsoft fixed the vulnerability (CVE-2016-3279) in MS16-088. "The security feature bypass by itself does not allow arbitrary code execution," Microsoft writes in its security bulletin. "However, to successfully exploit the vulnerability, an attacker would have to use it in conjunction with another vulnerability, such as a remote code execution vulnerability, to take advantage of the security feature bypass vulnerability and run arbitrary code."
Taking into account the huge number of Office exploits currently available, an attacker only has to choose which one to embed in their file.
As mentioned above, the exploit executes automatically when opening an XLA file, so unless you're running the latest Windows version, make a mental note never to open XLA files received via email.