This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MS Word LoadLib exploit mitigation

Hi Folks,

Got a setup of multiple computers, office 2016 (32 bit) a custom written database and a newly introduced intercept X.

This only occurs on a single PC, all PC's are setup identically. It did go away for a short time but when opening the database it seemed to trigger it off - once it's triggered none of the office apps seem to work (word, excel etc.) and all trigger these.

Anyone have any clue where to start with it? I've used sophos SDU and about to open a case with support, thought i'd ask here too.

Cheers

Ian

 

What:
Exploit LoadLib
no business files were involved
Where: On xxx that belongs to xxx
When:
Detected on Mar 9, 2017 3:42 PM
How:
winword.exe

Mitigation LoadLib

Platform 10.0.14393/x64 v583 06_5e
PID 7876
Application C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
Description Microsoft Word 16

\\xxx\database\User Files\xxx\MouseHook.dll
Process Trace
1 C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE [7876]
2 C:\Windows\explorer.exe [4748]
3 C:\Windows\System32\userinit.exe [4680]
4 C:\Windows\System32\winlogon.exe [720]
winlogon.exe

Thumbprint
d275bc554957fe38a120aff3ff618c037adc47c5ef62d14de1c07425df37acd0



This thread was automatically locked due to age.
Parents
  • Best bet is to work with support and get the information to them, it will then make it to our fast-track development team for review.  I have not been seeing this at other accounts but it looks like you have a fairly reproducible defect and that will make identification of the problem and fixing easier. Also dev teams do monitor the forum so we may already have someone looking into it. but to ensure this gets properly tracked and pushed through the system please go through support.

    Thanks for the feedback

  • Cheers Karl,

    It's raised with support as well, just attacking the issues from all sides. The mousehook.dll file has been submitted for analysis too. 

    One of my bigger worries is that the loadlib is apparently one of the most exploited exploits in office applications so not having the protection after a tough sale for the client to get it could be an issue.

     

    Cheers,

    Ian

  • Ian,

    Has there been any resolution with your issue?  I have been having the same issue since deploying InterceptX. 

     

    Thank You,

    CW

  • Hi Carrie,

    I'm still working (slowly, difficult to continually change things in a busy business) to figure out why it's doing this. 

    We've managed to get around it by copying the database front end files + DLL to the local c:\database folder and running them from there for this single user but it's not an ideal fix. The method of loading a DLL via UNC path was advised against by Sophos which i can understand, what baffles me is that it only happens to one user in a department who all had new PC's all setup exactly the same.

    Ian

Reply
  • Hi Carrie,

    I'm still working (slowly, difficult to continually change things in a busy business) to figure out why it's doing this. 

    We've managed to get around it by copying the database front end files + DLL to the local c:\database folder and running them from there for this single user but it's not an ideal fix. The method of loading a DLL via UNC path was advised against by Sophos which i can understand, what baffles me is that it only happens to one user in a department who all had new PC's all setup exactly the same.

    Ian

Children
  • It might be interesting to revert back to the original configuration on the problematic PC and create a Process Monitor (technet.microsoft.com/.../processmonitor.aspx) capture of the events.  I.e. Close Word, start Process Monitor (include the system process), launch Word, etc.. until you get the mitigation event and then stop capturing and save all events as a .pml file.  It would be interesting to compare the PML of a non-effected computer and the affected computer, especially around the Load Image events of the remote DLL(s).  This could highlight the subtle differences.

    Regards,

    Jak

  • Hi Jak,

     

    Yes good idea, though it's not that easy to revert the changes and stuff as they need to work and process orders/queries. I might be able to the procmon capture while its in its current state for reference.

    I was trying to use processmonitor to see if the DLL was loaded but I can't see that it is. I'm waiting on a copy of the VBA that loads the DLL so I can see what it does.

     

    Ta

    Ian