McAfee Labs

Product Coverage and Mitigation for CVE-2014-1761 (Microsoft Word)

3
By on Mar 25, 2014

On March 24, Microsoft released Security Advisory 2953095 for Microsoft Word. In-the-wild exploitation of this vulnerability has been observed across limited, targeted attacks. The flaw is a memory-corruption vulnerability that can be invoked when parsing specially crafted RTF files or data. Successful exploitation can give an attacker the ability to run arbitrary code (via remote code execution). The flaw affects the following:

  • Microsoft Office Compatibility Pack Service Pack 3
  • Microsoft Office for Mac 2011
  • Microsoft Office Web Apps 2010 Service Pack 1
  • Microsoft Office Web Apps 2010 Service Pack 2
  • Microsoft Office Web Apps Server 2013
  • Microsoft Word 2003 Service Pack 3
  • Microsoft Word 2007 Service Pack 3
  • Microsoft Word 2010 Service Pack 1 (32-bit editions)
  • Microsoft Word 2010 Service Pack 1 (64-bit editions)
  • Microsoft Word 2010 Service Pack 2 (32-bit editions)
  • Microsoft Word 2010 Service Pack 2 (64-bit editions)
  • Microsoft Word 2013 (32-bit editions)
  • Microsoft Word 2013 (64-bit editions)
  • Microsoft Word 2013 RT
  • Microsoft Word Viewer
  • Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 1
  • Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 2
  • Word Automation Services on Microsoft SharePoint Server 2013

 

Current McAfee product coverage and mitigation

  • McAfee Vulnerability Manager: The FSL/MVM package of March 24 includes a vulnerability check to assess if your systems are at risk.
  • McAfee Host Intrusion Prevention (HIPS): Generic buffer overflow protection is expected to cover code execution exploits.
  • McAfee Network Intrusion Prevention / Network Security Platform (NIPS) : The NSP release of March 27 will include coverage for this threat.
  • Stonesoft (NGFW):  Coverage is provided in Update Package 572-5211 (Released March 27, 2014)
  • McAfee VirusScan (AV): Coverage is provided as Exploit-CVE2014-1761.
  • McAfee Web Gateway (AV): Coverage is provided as Exploit-CVE2014-1761.

 

Cryptocurrency mining

Microsoft’s blog post highlights IP address 185.12.44.51 as a command and control host. This same host has multiple Bitcoin transactions associated with it as a relay. These can be queried and observed via Blockchain.info. As of this writing, the cumulative balance across the associated Bitcoin wallets is BTC 193.5043147 (about US$111,600).

3img2

 

cve_btc_1

 

 

 

Resources

 

 

3 Comments

  • Yes, DAT 7396 detect the exploit CVE 2014-1761

    Yes, DAT 7396 detect the exploit CVE 2014-1761
    http://www.mcafee.com/apps/mcafee-labs/release-notes/datreadme.aspx?DATFile=7396

    best regards,
    Walter

  • zozaya

    Hi,
    Is there a Dat signature that will detect the exploit CVE-2014-1761 on desktop with viruscan protection ?
    thanks
    Rgds

  • Mario

    Hello,
    is there an EXTRA.dat available?

    Thx
    Mario

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>