An important Microsoft Office related security bug fix has been bypassed by hackers in an embarrassingly simple way.
Back in September 2021, Microsoft released a fix for a security bug which involved accessing a web page within a Word document (docx or rtf). That web page then downloaded and ran a CAB file (a compressed file container used in some installations). The CAB file has the malicious code to run nasties on your computer.
It was a critical level bug and Microsoft acted quickly to fix the bug in Windows (labelled CVE-2021-40444 ). Though to be infected, users had to open what should be a suspicious attachment and bypass the Protected View / Application Guard protections in modern Office.
All fine until the following month when criminals released a new variant to the original hack which bypassed Microsoft’s September fix.
Instead of downloading a CAB file, it now downloads an RAR file (RAR is an excellent compression tool, a rival to ZIP). Changing CAB to RAR is all it took to workaround Microsoft’s September patch.
That’s embarrassing or it would be embarrassing if Microsoft’s culture allowed such things.
It’s also understandable. Back in September, the security folks would have been focused on fixing the critical bug as fast as possible.
But having fixed the specific problem, Microsoft should devote some resources to the ‘bigger picture’ of identifying variations on the original hack. Switching between different compressed file formats should have been an obvious ruse.
This isn’t the first time Microsoft has made this mistake and it won’t be the last. The company seems to take the cheap route of playing ‘whack a mole’ individually for each bug instead of trying to anticipate where ‘moles’ might pop up next.
There’s a little good news. Sophos reports that the new attack lasted only a day and a half. It’s hasn’t been seen since.