In addition to protecting the desktop, you should also pay close attention to the Office suite–in particular, Microsoft’s Object Linking and Embedding (OLE) platform. OLE allows you to make linked connections between applications and other documents, but it also provides a toehold for attackers to gain access into our systems.
As a recently National Cyber Awareness system document stated: “As of December 2019, Chinese state cyber actors were frequently exploiting the same vulnerability—CVE-2012-0158—that the US government publicly assessed in 2015 was the most used in their cyber operations.” Let that sink in. A vulnerability patched in 2012 was the most used exploit in December 2019. The vulnerability affects Office 2003, 2007 and 2010.
According to a 2016 Sophos white paper, “Code that CVE-2012-0158 exploits is housed within the Microsoft Windows Common Control Library. MSCOMCTL.OCX is a Dynamic Linked Library (DLL) containing common controls such as the Combo Box, and Progress Bar, among others. CVE-2012-0158 is concerned specifically with the ListView and TreeView ActiveX controls.”
The exploit allows the attacker to take control of the entire system. The vulnerability allows malicious code to hide and pivot from detection and change the way it launches the attack. In one variant, the attackers used rich text format (RTF) to hide the payload. As noted in the Sophos whitepaper, “When Microsoft Word saves an RTF file, the hexadecimal representation of any embedded file is written as a continuous stream of ASCII characters, split into equal length lines which are usually 252 characters. Unfortunately, the bad guys soon discovered that Word is far from stringent about enforcing this formation and tampered with the format incessantly in order to confuse AV parsers.”