SCOPE Every version of Microsoft Office on every Windows OS includes a feature called OLE Packager, allowing content to be embedded in documents. This includes executable content (.exe, .js, .vbe etc) - there is no restriction of embeddable content. There is no way to disable or restrict this functionality on any Office version, even with macros disabled and the High Security templates installed. The feature dates back to the early 90s. To complicate matters, you can save Word documents as .RTF files -- which also support OLE Packaging -- which seems to defeat most mail gateway scanning of OLE objects. PROOF OF CONCEPT I have produced various proof of concept documents here: http://owned.lab6.com/~gossi/research/public/packager/ SalesOrder.rtf / docx -- lock your Windows workstation OrderRemittance.xlsx -- reverses your left and right mouse buttons, persists on reboot These documents are clean for all antivirus providers, and tested to pass Messagelabs etc (other cloud based email security providers are available). I have also tested these documents on Malwarebytes Anti-Exploit and a leading behavioral endpoint product (under NDA so cannot name) - both fail to spot it. Additionally, it is not flagged by Cuckoo Sandbox or Palo-Alto Wildfire sandbox. Through months of testing it has become clear that security solutions simply do not touch this issue. As such, you can smash through firewalls to execute code on the desktop, as long as a user clicks through a few warnings, with no way to disable the functionality. BACKGROUND OLE Packager is a feature introduced in Windows 3.1, which ran "up to" Windows XP: https://en.wikipedia.org/wiki/Object_Linking_and_Embedding It is still present in every version of Microsoft Office, on every Windows OS (including Office 2013 x64 on Windows 10 x64). You can use the Office interface to place executable code into documents - it's even fully GUI driven. Office 2010 -> Insert -> Object. Office handles this with a DLL file - packager.dll. To try to mitigate against issues, in the past Microsoft produced a static string of 'risky' file types, which add a warning message (the user can still click through it). However, this static list has not been kept up to date. For example, it does not recognise PowerShell, and other executable types. You can also just .zip code to bypass user warnings. VENDOR RESPONSE Microsoft were notified in March about the problem, and that threat actors were experimenting with it in the wild. At the time they asked me not to post information about the problem online. They have not addressed the problem, and believe it is a feature of Office. MITIGATION Microsoft Office contains extensive and good security tools. For example, you can digitally sign macros or designate "Trusted locations" on your network for case-by-case enabling of risky features. OLE Packager is not covered in this protection; it is always enabled. This is the key issue. If you have Microsoft EMET already deployed, add a rule for Excel, Winword and Powerpoint -- it needs to be an ASR rule which denies packager.dll. Because you cannot control this on a document-by-document basis, you may break legitimate OLE Packager usage (e.g. embedding Excel documents in PowerPoint). #Packager.dlHELL
