The vulnerability was discovered by the Adallom company and the attack was dubbed "Ice Dagger". The attackers used the vulnerability to steal Microsoft Office 365 authentication token. The victim of the unnamed company received an email with a link to attachment, located on a hidden server within TOR network. The vulnerability was reported to Microsoft in late May 2013.
Vulnerability details
Advisory: SB2013121001 - Information disclosure in Microsoft Office
Vulnerable component: Microsoft Office
CVE-ID: CVE-2013-5054
CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
CWE-ID: CWE-200 - Information exposure
Description:
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to an error in handling of a specially crafted response when opening a malicious Office file. A remote attacker can create a specially crafted file using, host it on remote website, trick the victim into opening it and gain access to tokens used to authenticate the current user on a targeted SharePoint or other Microsoft Office server site.
Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.
Note: the vulnerability was being actively exploited.
Known APT campaigns:
Ice Dagger attack
The attack is called тАЬIce DaggerтАЭ by Adallom security firm due to its sophistication.
External links:
https://technet.microsoft.com/en-us/library/security/ms13-104.aspx
https://www.symantec.com/security_response/vulnerability.jsp?bid=64092
http://blog.talosintel.com/2013/12/microsoft-update-tuesday-december-2013.html
https://www.scmagazine.com/patch-tuesday-update-addresses-24-bugs-including-exploited-tiff-zero-day/...
http://news.softpedia.com/news/Newly-Patched-Office-365-Vulnerability-Used-in-Ice-Dagger-Targeted-At...
http://it.toolbox.com/blogs/securitymonkey/flaw-in-microsoft-office-365-allows-perfect-crime-58421