Researchers say this attack is a bad bug. Microsoft says it’s a feature.
The recent wave of stealthy fileless attacks leveraging Microsoft applications abuses a feature rather than exploiting a vulnerability, the company says, and Microsoft has no plans to patch it despite knowing about the flaw since August.
Microsoft told pentesting outfit SensePost on Sept. 29 “they weren’t going to fix it,” Dominic White, SensePost CTO told CyberScoop via email. SensePost had alerted the company a month before that the Dynamic Data Exchange, or DDE protocol, in Microsoft Word could be used by hackers to run commands and open executable programs — effectively laying the user’s computer open to complete takeover. Microsoft told the pentesters that was a feature and there would be no patch, but it would be considered for a bug fix in a future version.
This week SensePost published a proof-of-concept on their blog, noting that the technique was an excellent way to get around security measures that cyber-aware enterprises might have in place. The following day, researchers found the technique being used in the wild as part of a fileless phishing attack that could be tied to FIN7, a widely-known APT group.
“It’s always difficult to see bad guys using our tools,” said White. But he added that “it could even be argued that the in-the-wild exploitation was discovered thanks to some of this work” done by his team and other researchers.
Moreover, much published work had already been done on the issue — including an exploit developed for DDE in Microsoft Excel. “Given that this is a very old feature [and that] much prior work has been published around this in the past, we decided criminals likely had more than enough [time and opportunity] to exploit it, and bringing the information to light would help defenders understand the issue and develop defenses more than helping attackers,” he explained.
Microsoft declined multiple requests for interview and comment, but a former head of threat intelligence for the Redmond, Wash.-based giant defended their decision-making.
“A feature is a product capability which supports a legitimate use,” explained Sergio Caltagirone, now director of threat intelligence and analysis at Dragos, Inc. Like a macro, DDE “enables cross-application communication and functionality,” he said. “It’s a really powerful feature.”
On the other hand, “A vulnerability is a way for an adversary to make a product do something it’s not supposed to.”
“That’s a difference that can be worth billions of dollars,” to a huge company like Microsoft, Caltagirone added. “The scale of those decisions is huge.”
If Microsoft switched DDE off, it would break any business processes or applications that relied upon it. Dealing with the comparable issue of macros, Caltagirone noted had been “a more than decade-long process so far,” with no end in sight.
“Macros have been misused for 15 years by every kind of bad actor,” he said, “from commodity malware authors to the stealthiest APTs … Just because someone is able to misuse it, doesn’t mean you just turn it off … Security isn’t binary: It’s not something you either have or don’t have … You have to weigh security against other factors like performance and compatibility. That’s a hard thing for security people to get.”
Not everyone is convinced that the distinction between vulnerabilities and features is so clear cut.
“For the purposes of exploitation, there is no difference,” said White. “It’s really just a shorthand for Microsoft’s internal risk decision criteria, that we aren’t party to … We can only guess at how they decide/manage these things.”
Now that DDE was being exploited in the wild — albeit in a very limited number of attacks — Caltagirone said he would expect Microsoft engineers to begin drawing up a roadmap and work toward developing mitigation strategies or workarounds.