Microsoft .RTF vulnerability thoughts/actions?

Jason Meyer · ‎05-13-2014

So, some of my clients are asking about the recent .RTF file vulnerability with Microsoft Word.

https://support.microsoft.com/kb/2949660

My question, will the IronPort appliances identify e-mails containing this malware be blocked?

What actions are administrators taking to mitigate this?

Just asking...

Jason Meyer · ‎05-13-2014

Found a discussion where it is possibly an executable file embedded in the .RTF file that contains the malware. Our environment removes certain executable attachments including .exe from e-mails but our IronPort appliances did not remove an embedded .exe file from a test .rtf file. It will remove .exe files from archive files ie .zip Just further info.

Robert Sherwin · ‎05-13-2014

The Sophos engine running on the ESA/WSA is configured to look inside rtf files for embedded objects. Sophos has classified the threat as Exp/20141761-A related to (CVE-2014-1761) and rules are in place since 25 Mar 2014 03:16:52 (GMT) from Sophos. The Sophos engine on ESA/WSA has received update shortly after Sophos' release.

Also related to:

https://technet.microsoft.com/library/security/2953095

From Cisco Security Center:

http://tools.cisco.com/security/center/viewAlert.x?alertId=33490

http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=33520

(which includes the following:)

Cisco Web and Email Security

Mitigation: Web Security

Cisco Web Security Appliances (WSA) can filter and protect corporate networks against web-based malware and spyware programs that can compromise corporate security and expose intellectual property. They operate as a proxy and can provide user- and group-based policies that filter certain URL categories, web content, web application visibility and control (AVC), websites based on web reputation, and malware. The WSA can also detect infected clients and stop malicious activity from going outside the corporate network using the L4 Traffic Monitor (L4TM). Policies can be configured using a web GUI. A CLI can also be used. The WSA includes protection for standard communication protocols, such as HTTP, HTTPS, FTP, and SOCKS.

To operate with network devices such as routers and firewalls, the WSA uses the Web Cache Communication Protocol (WCCP). With WCCP, content requests are transparently redirected to the WSA, which acts based on its configuration. Users do not need to configure a web-proxy in their browsers. In Cisco IOS, WCCP is enabled using the ip wccp commands and in the Cisco ASA using the wccp commands.

Cisco WSA can be used to mitigate MS14-017, MS14-019, and MS14-020 by filtering web traffic based on the following:

low-reputation URL destinations
.rtf or .pub file types
.rtf or .pub malicious files

For more information, see the ASA: WCCP Step-by-Step Configuration document in the Cisco Support Community and the Cisco AsyncOS Web User Guide (PDF).

Mitigation: Email Security

Cisco Email Security Appliances (ESA) eliminate email spam and viruses, enforce corporate policy, and secure the network perimeter. They operate as an SMTP gateway, also known as a mail exchanger or MX. They can filter virus, spam, and phishing outbreaks. They also provide email encryption, message filtering, anti-spam services, antivirus services and more.

Cisco ESA can be used to mitigate MS14-017 and MS14-020 by filtering messages based on an attachment type of .rtf or .pub.

Filter actions allow messages to be dropped, bounced, archived, blind carbon copied, or altered.

Filters can also generate notifications.

For more information, see the Cisco AsyncOS Email Configuration Guide (PDF).

-Robert

Cheers,
Robert Sherwin