'Perfect Crime' vulnerability uncovered in Office 2013
California-based SaaS security specialist Adallom has revealed the existence of an Office 365 token flaw in Office 2013 that could allow malicious web servers to intercept authentication tokens and remotely access a SharePoint site without any alerts being raised.
Writing on the company's blog Noam Liran, Adallom's chief software architect describes the attack as an "ice dagger" because it's the perfect weapon, leaving no trace. He says, "The vulnerability we've found and the security incident that used it have all the makings of a great crime mystery. Only through months of diligent research were we and the Microsoft Security Response Team able to piece together the elements of what might otherwise have been a perfect crime, totally invisible to existing perimeter and endpoint protection defenses".
The problem only affects Office 2013 thanks to its close integration with Office 365. In order to exploit the vulnerability the attacker needs to get a user to click on a malicious Word document via a link in an email or on a website. Of course us tech savvy types know to avoid that sort of thing. But in a large organization you only need one employee to click on a document claiming to be a job application or a document from review and your whole SharePoint archive is wide open.
PowerPoint, Excel and OneNote are vulnerable too, and you won't be safe if you're using SkyDrive Pro because under the skin it's actually a SharePoint Online site.
Liran sums up, "The vulnerability we researched here and the security incident that used it is a bona fide Perfect Crime; a crime where the victim doesn't know that he’s been hit; a crime where there's no proof of any foul play anywhere; a crime where protecting yourself against it without being familiar with its modus operandi is next to impossible".
"There was no malware payload to reverse-engineer. No file hash we can trace through time. No IP address to locate and investigate. No servers to confiscate. The attacker simply gets away with your Office 365 token. For good".
The vulnerability has been repaired in December's Patch Tuesday round of updates and Office 2013 users are urged to install the fix as soon as possible.