Microsoft 365 is used by over a billion users worldwide, so attackers are naturally deeply invested in compromising its security. One of the ways of making sure this suite of products is as secure as possible, is a bug bounty program.
During an upcoming presentation at HITB CyberWeek 2020, Ashar Javed, a security engineer at Hyundai AutoEver Europe, will share stories from his journey towards discovering 365 valid bugs in Microsoft Office 365. We took this opportunity to ask him about his work.
What are some of the most surprising findings of your bug hunting endeavor with Microsoft Office 365?
I found literally hundreds of bugs in Office 365 but my favourite are All your Power Apps Portals belong to us and Cross-tenant privacy leak in Office 365. In the earlier one, I was able to control the Power Portal sites via Insecure Direct Object Reference (IDOR) while in the later one, as an attacker you can reveal the Lync (Skype for business) status in a cross-tenant manner. An attacker could see that a particular user is online or be right back while at the same time also can reveal the custom location set by the victim.
How would you rate Microsoft Office 365 security in general?
Finding a bug in Microsoft 365 is a challenging task given Microsoft follows a Security Development Lifecycle. Furthermore, Office 365 receives a third-party vulnerability assessment every year.
Microsoft has a public bug bounty program for Office 365 open to anyone, so you could say security is built into the heart of Office 365.
What type of bugs did you find? What was the severity of the discovered issues?
I found all sorts of bugs ranging from a simple rate limiting issue to a critical SQLi in Dynamics 365. Further, I found hundreds of XSS issues in SharePoint. I also reported dozens of XSS issues in Outlook. Furthermore, I also found privilege escalation, SSRF and CSRF.
When it comes to the severity of the discovered bugs, it varies from a low severity issue to a critical one. Most of my bugs were rated high by Microsoft.
What’s your take on modern bug hunting in general? Do you work on your own or use a service for disclosure?
Bug hunting is still in early ages as a field. I would call it an amateur field where both parties (a bug hunter and a bug receiver) are learning.
Today’s hostile web environment makes it imperative for organizations to boost their security, and allowing bug hunters to inspect products is a win-win situation for both parties.
When it comes to my work, I directly report security issues to Microsoft instead of reporting via a service.
More and more security professionals are realizing that it’s impossible to fully secure a Windows machine – with all its legacy components and millions of potentially vulnerable lines of code – from within the OS. With attacks becoming more sophisticated than ever, hypervisor-based security, from below the OS, becomes a necessity.
Unlike modern OS kernels, hypervisors are designed for a very specific task. Their code is usually very small, well-reviewed and tested, making them very hard to exploit. Because of that, the world trusts modern hypervisors to run servers, containers, and other workloads in the cloud, which sometimes run side-by-side on the same physical server with complete separation and isolation. Because of that, companies are leveraging the same trusted technology to bring hardware-enforced isolation to the endpoint.
Microsoft Defender Application Guard
Microsoft Defender Application Guard (previously known as Windows Defender Application Guard, or just WDAG), brings hypervisor-based isolation to Microsoft Edge and Microsoft Office applications.
It allows administrators to apply policies that force untrusted web sites and documents to be opened in isolated Hyper-V containers, completely separating potential malware from the host OS. Malware running in such containers won’t be able to access and exfiltrate sensitive files such as corporate documents or the users’ corporate credentials, cookies, or tokens.
With Application Guard for Edge, when a user opens a web site that was not added to the allow-list, he is automatically redirected to a new isolated instance of Edge, continuing the session there. This isolated instance of Edge provides another, much stronger, sandboxing layer to cope with web threats. If allowed by the administrator, files downloaded during that session can be accessed later from the host OS.
With Application Guard for Office, when a user opens an unknown document, maybe downloaded from the internet or opened as an email attachment, the document is automatically opened in an isolated instance of Office.
Until now, such documents would be opened in “protected view”, a special mode that eliminates the threat from scripts and macros by disabling embedded code execution. Unfortunately, this mode sometimes breaks legit files, such as spreadsheets that contain harmless macros. It also prevents users from editing documents.
Many users blindly disable the “protected view” mode to enable editing, thereby allowing malware to execute on the device. With Application Guard for Office, users don’t compromise security (the malware is trapped inside the isolated container) nor productivity )the document is fully functional and editable inside the container).
In both cases, the container is spawned instantly, with minimal CPU, memory, and disk footprints. Unlike traditional virtual machines, IT administrators don’t need to manage the underlying OS inside the container. Instead, it’s built out of existing Windows system binaries that remain patched as long as the host OS is up to date. Microsoft has also introduced new virtual GPU capabilities, allowing software running inside the container to be hardware-GPU accelerated. With all these optimizations, Edge and Office running inside the container feel fast and responsive, almost as if they were running without an additional virtualization layer.
The missing compatibility
While Application Guard works well with Edge and Office, it doesn’t support other applications. Edge will always be the browser running inside the container. That means, for example, no Google accounts synchronization, something that many users probably want.
What about downloaded applications? Applications are not allowed to run inside the container. (The container hardening contains some WDAC policies that allow only specific apps to execute.) That means that users can execute those potentially malicious applications on the host OS only.
Administrators who don’t allow unknown apps on the host OS might reduce users’ productivity and increase frustration. This is probably more prominent today, with so many people working from home and using a new wave of modern collaboration tools and video conferencing applications.
Users who are invited to external meetings sometimes need to download and run a client that may be blocked by the organization on the host OS. Unfortunately, it’s not possible to run the client inside the container either, and the users need to look for other solutions.
And what about non-Office documents? Though Office documents are protected, non-Office documents aren’t. Users sometimes use various other applications to create and edit documents, such as Adobe Acrobat and Photoshop, Autodesk AutoCAD, and many others. Application Guard won’t help to protect the host OS from such documents that are received over email or downloaded from the internet.
Even with Office alone, there might be problems. Many organizations use Office add-ons to customize and streamline the end-user experience. These add-ons may integrate with other local or online applications to provide additional functionality. As Application Guard runs a vanilla Office without any customizations, these add-ons won’t be able to run inside the container.
The missing manageability
Configuring Application Guard is not easy. First, while Application Guard for Edge technically works on both Windows Pro and Windows Enterprise, only on Windows Enterprise is it possible to configure it to kick-in automatically for untrusted websites. For non-technical users, that makes Application Guard almost useless in the eyes of their IT administrators, as those users have to launch it manually every time they consider a website to be untrusted. That’s a lot of room for human error. Even if all the devices are running Windows Enterprise, it’s not a walk in the park for administrators.
For the networking isolation configuration, administrators have to provide a manual list of comma-separated IPs and domain names. It’s not possible to integrate with your already fully configured web-proxy. It’s also not possible to integrate with category-based filtering systems that you might also have. Aside from the additional system to manage, there is no convenient UI or advanced capabilities (such as automatic filtering based on categories) to use. To make it work with Chrome or Firefox, administrators also need to perform additional configurations, such as delivering browser extensions.
This is not a turnkey solution for administrators and it requires messing with multiple configurations and GPOs until it works.
In addition, other management capabilities are very limited. For example, while admins can define whether clipboard operations (copy+paste) are allowed between the host and the container, it’s not possible to allow these operations only one way and not the other. It’s also not possible to allow certain content types such as text and images, while blocking others, such as binary files.
OS customizations and additional software bundlings such as Edge extensions and Office add-ins are not available either.
While Office files are opened automatically in Application Guard, other file types aren’t. Administrators that would like to use Edge as a secure and isolated PDF viewer, for example, can’t configure that.
The missing security
As stated before, Application Guard doesn’t protect against malicious files that were mistakenly categorized to be safe by the user. The user might securely download a malicious file on his isolated Edge but then choose to execute it on the host OS. He might also mistakenly categorize an untrusted document as a corporate one, to have it opened on the host OS. Malware could easily infect the host due to user errors.
Another potential threat comes from the networking side. While malware getting into the container is isolated in some aspects such as memory (it can’t inject itself into processes running on the host) and filesystem (it can’t replace files on the host with infected copies), it’s not fully isolated on the networking side.
Application Guard containers leverage the Windows Internet Connection Sharing (ICS) feature, to fully share networking with the host. That means that malware running inside the container might be able to attack some sensitive corporate resources that are accessible by the host (e.g., databases and data centers) by exploiting network vulnerabilities.
While Application Guard tries to isolate web and document threats, it doesn’t provide isolation in other areas. As mentioned before, Application Guard can’t isolate non-Microsoft applications that the organization chooses to use but not trust. Video conferencing applications, for example, have been exploited in the past and usually don’t require access to corporate data – it’s much safer to execute these in an isolated container.
External device handling is another risky area. Think of CVE-2016-0133, which allowed attackers to execute malicious code in the Windows kernel simply by plugging a USB thumb drive into the victim’s laptop. Isolating unknown USB devices can stop such attacks.
The missing holistic solution
Wouldn’t it be great if users could easily open any risky document in an isolated environment, e.g., through a context menu? Or if administrators could configure any risky website, document, or application to be automatically transferred and opened in an isolated environment? And maybe also to have corporate websites to be automatically opened back on the host OS, to avoid mixing sensitive information and corporate credentials with non-corporate work?
How about automatically attaching risky USB devices to the container, e.g., personal thumb drives, to reduce chances of infecting the host OS? And what if all that could be easy for administrators to deploy and manage, as a turn-key solution in the cloud?
A week after the April 2020 Patch Tuesday, Microsoft has released out-of-band security updates for its Office suite, to fix a handful of vulnerabilities that attackers could exploit to achieve remote code execution.
At the same time, a security update has also been released for Paint 3D, the company’s free app for creating 3D models, because the source of the fixed vulnerabilities is something that both Office and Paint 3D have in common: the Autodesk FBX library.
About the vulnerabilities
Autodesk – the company behind the popular AutoCAD software but also a variety of other specialized apps used by architects, engineers, digital media creators, manufacturers, etc. – fixed six vulnerabilities (CVE-2020-7080 through CVE-2020-7085) in its FBX Software Developer Kit (SDK).
All can be triggered if a user is tricked into opening a specially crafted, malicious FBX file, and can either create a DoS condition or make the application run arbitrary code on the underlying system.
Since the Autodesk FBX library is integrated into MS Office apps and the Paint 3D app, them processing specially crafted 3D content may lead to remote code execution.
“An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft explained.
What to do?
To exploit the vulnerabilities, an attacker must send a specially crafted file containing 3D content to a user and convince them to open it. (Just viewing it through the Preview Pane is not enough to trigger the exploitation.)
The fact that exploitation requires user interaction makes the vulnerabilities important but not critical. Nevertheless, tricking users into opening random files is, unfortunately, something that attackers know how to do well.
There are no mitigating factors or workarounds for the flaws, so users and admins are urged to implement the provided updates, especially if they often deal with FBX files.
The January 2020 Patch Tuesday was a light one as predicted; everyone was still catching up from the end-of-year holidays. As we gain momentum into February and move towards Valentine’s Day, I anticipate Microsoft, and at least Mozilla, will give plenty of love and attention to their applications and operating systems.
Microsoft had announced back in August with Advisory 190023 that they were planning several updates to their implementation of the Lightweight Directory Access Protocol (LDAP). That advisory explained the need for LDAP channel binding and LDAP signing to increase security. Originally planned for Q4 2019, Microsoft has pushed the first part of this update out to March 2020.
The company is planning a two-part rollout, with the March release paving the way for major change and enforcement later in the year. As explained in the advisory, the “Windows Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing.”
Microsoft delayed this until March so administrators can properly test the LDAP configuration changes. There’s been a lot of discussion on the various security forums concerning this, so factor in some extra test time next month.
Windows 7 and Server 2008/2008 R2 patches
Getting back to February Patch Tuesday, the big change will be the lack of Windows 7 and Server 2008/2008 R2 patches this month. I say that tongue-in-cheek because they will still be publicly available but require a special key to install on the endpoint; this key is issued as part of the Microsoft Extended Security Update (ESU) program.
Microsoft has made this as painless as possible to accommodate the large, remaining installed base of these systems. However, with the end of any operating system there is always some confusion and panic as reality sets in.
If you have systems you just can’t migrate/upgrade yet to Windows 10 and you don’t have a planned ESU program in place, you should consider some additional options to mitigate their security risk. Consider virtualizing some of the workload and locking down the system to run only the specific applications you need. Application control can help with this lockdown and often provides some privilege management protection as well.
You can also consider a segmentation approach, i.e. remove them from direct internet connectivity or move them to more protected parts of your network.
Finally, add on some next-gen anti-virus (AV) or endpoint detection and response (EDR) solutions for added protection. You know these systems will become targets, so due diligence is important to their protection until you can migrate them.
February 2020 Patch Tuesday forecast
- Microsoft is overdue to release some major updates, so expect them this month. We should see updates across the board with a large number of CVEs addressed in all of them. In addition to the usual OS and Office updates, we should see server updates for SharePoint, Exchange, and SQL. I don’t expect another .NET update since one was released in January, but you never know.
- Mozilla is also overdue for a set of major updates across their product lines.
- Google released major updates for Chrome this week, so we should only see a minor update, if any, on patch Tuesday.
- Apple released their first major updates of the year last week, so similar to Google, we expect only minor updates, if any at all.
- Adobe is a bit unpredictable this month. Their last major security update for Acrobat and Reader was back in early December, so the pressure is mounting for another one. Keep an eye for their pre-announcement bulletins and plan accordingly.
Even if we have a heavy patch release next Tuesday, make sure you set some time aside to spend with your significant other or a close friend the following Friday – Happy Valentine’s Day!
Which ten software vulnerabilities should you patch as soon as possible (if you haven’t already)?
Table of top exploited CVEs between 2016 and 2019 (repeats are noted by color)
Recorded Future researchers have analyzed code repositories, underground forum postings, dark web sites, closed source reports and data sets comprising of submissions to popular malware repositories to compile a list of the ten most exploited vulnerabilities by cybercriminals in 2019.
The list is comprised of two vulnerabilities in Adobe Flash Player, four vulnerabilities affecting Microsoft’s Internet Explorer browser, three MS Office flaws and one WinRAR bug:
Most have been flagged and patched in the last few years – as can be seen by their CVE numbers – but one of them dates as far back as 2012.
The researchers put the popularity of Microsoft vulnerabilities (as compared to Flash bugs) down to a combination of better patching and Flash Player’s impending demise in 2020, and noted the importance of patching Microsoft products in a timely manner.
Among other, more recently patched flaws that made the top 20 list are CVE-2019-0841, a privilege escalation vulnerability in the Windows AppX Deployment Service and CVE-2019-3396, a server-side template injection vulnerability in the Atlassian Confluence Server and Data Center Widget Connector that could be used for remote code execution.
With all of this in mind, they advise admins to prioritize the patching of Microsoft products (and all the aforementioned vulnerabilities), automatically disable Flash Player wherever possible, remove affected software if it’s not needed, and install browser ad-blockers to prevent exploitation via malvertising.