Attackers have found a way to bypass a crucial Microsoft Office patch

All it took was using a different compressed file format

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Attackers have managed to create a novel exploit capable of bypassing a criticalremote code executionvulnerability inMicrosoft Officewhich was patched earlier this year.

According to new research from the cybersecurity firmSophos, the attackers were able to take a publicly available proof-of-concept Office exploit and weaponize it to deliver theFormbook malware.

Back in September,Microsoftreleased a patch to prevent attackers from executing malicious code embedded in aWorddocument that downloads a Microsoft Cabinet (CAB) archive containing a malicious executable. By reworking the original exploit and placing the malicious Word document inside a special crafted RAR archive, the attackers created a “CAB-less” form of the exploit capable of successfully evading the original patch.

Surprisingly though, this novel exploit was distributed usingspam emailsfor approximately 36 hours before it disappeared completely. Sophos' researchers believe that the exploit’s limited lifespan could mean that it was a “dry run” experiment that could be used in future attacks.

Bypassing a critical patch

During their investigation, Sophos' researchers found that the attackers responsible had created an abnormal RAR archive that had a PowerShell script prepending a malicious Word document stored inside the archive.

To spread their malformed RAR archive and its malicious contents, the attackers created and distributed spam emails which invited victims to uncompress the RAR file to access the Word document. However, opening the document triggered a process that ran the front-end script leading to their devices becoming infected withmalware.

Principal threat researcher at Sophos, Andrew Brandt explained how the attackers were able to get around Microsoft patching the original vulnerability in apress release, saying:

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“In theory, this attack approach shouldn’t have worked, but it did. The pre-patch versions of the attack involved malicious code packaged into a Microsoft Cabinet file. When Microsoft’s patch closed that loophole, attackers discovered a proof-of-concept that showed how you could bundle the malware into a different compressed file format, a RAR archive. RAR archives have been used before to distribute malicious code, but the process used here was unusually complicated. It likely succeeded only because the patch’s remit was very narrowly defined and because the WinRAR program that users need to open the RAR is very fault tolerant and doesn’t appear to mind if the archive is malformed, for example, because it’s been tampered with.”

While patching software against known vulnerabilities is important, it’s also equally important to educate employees regarding the dangers of openingsuspicious email attachmentsespecially when they arrive in unusual or unfamiliar compressed file formats.

We’ve also featured thebest malware removal software,best antivirusandbest endpoint protection software

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Your doctor may have an AI assistant taking notes during your next Zoom call