Ransomware protection in Windows Defender can be circumvented with the help of Office OLE objects.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A security researcher was able to bypass the Controlled Folder Access feature in Windows 10 using OLE objects hidden in Office files.
- Using augmented Office files, a hacker could steal data from a Windows 10 user and hold it for ransom.
The Controlled Folder Access (CFA) in Windows 10—which Microsoft promoted as protection against ransomware—can be easily bypassed with the use of 'boobytrapped' Office files, according to work from security researcher Yago Jesus.
CFA was added to Windows Defender in the Windows 10 Fall Creators Update in late 2017. Essentially, CFA keeps suspicious apps from augmenting or editing any files stored in a particular protected folder. However, the fact that it can be bypassed with the use of Office files could mean it isn't as secure as once thought.
Normally, a user must approve an app's ability to edit files stored in these protected CFA folders by whitelisting the app, as noted by Bleeping Computer. But Office files are automatically whitelisted, which provides a workaround.
SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)
"By default, Office executables are included in the whitelist so these programs could make changes in protected folders without restrictions," Jesus wrote in the report.
The key point here, Jesus noted, it that edit access is granted even to users working with Object Linking & Embedding (OLE) objects, which can programatically drive Office executables. This means that a ransomware developer could modify their software to use OLE objects, allowing them to change, edit, or delete a victim's files without detection.
In his report, Jesus shows a few examples of Python scripts that could use OLE objects to bypass the CFA folder protections. And that doesn't only affect Office files.
"Notice that Office could be used to edit PDF files, Image files and others type of files not strictly related to Office documents," Jesus wrote.
Jesus reported the problem to Microsoft, which responded by acknowledging the issues but claiming they are not classified as a vulnerability. Microsoft said that it would address the issues through an "improvement" made to CFA.
- Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
- Microsoft: Windows 10 will stop a ransomware epidemic when antivirus fails (ZDNet)
- Windows 10 Creators Update: The smart person's guide (TechRepublic)
- Windows 10 tip: Turn on the new anti-ransomware features in the Fall Creators Update (ZDNet)
- How to protect your Windows 10 PC from ransomware with the Fall Creators Update (TechRepublic)