Jump to content

Recommended Posts

Hi guys,

So we have an interesting problem we are trying to figure out how to fix.  We have a few users that run an external script in Microsoft Word and the only way to allow this script with anti-exploit running is to unshield Word in anti-exploit. I’d hate to have to disable the Microsoft word shield altogether.

here's the alert:

 "2016-11-16T16:09:26.690-05:00";"userA1111";"2056";"C:\ProgramData\Oracle\Java\javapath\javaw.exe";"9424";"WINWORD.EXE";"3";"701";"207";"";"";"";"";"";"";"C:\windows\SYSTEM32\cmd.exe \C FOR %a In (C:\Users\userA1111\AppData\Local\Oracle\BIPublisher\TemplateBuilderforWord\tmp\tmp\201479330564782out.pdf) DO START %~sa";"";"";"";""

any help with this is most appreciated. thanks

-Robbie

Share this post


Link to post
Share on other sites

That's a hard block. You don't want to allow Word to perform those types of actions. Its one of the top 3 malspam infection vectors. The only way to allow it is to deactivate the Word shield, which we obviously don't recommend.

Seems like the parent is Java. Could this be by some in-house or third-party application? If that's the case, I'd be having a conversation about basic security best practices with the vendor.

I know this puts you between a rock and a hard place and am sorry for that, but unfortunately from our perspective allowing this type of Word behavior would practically equate to allowing our customers to become infected.

Share this post


Link to post
Share on other sites

Thanks for the quick reply Pedro!  You are correct.  The add-in is a third party add-in through a product by Oracle called BIPublisher.  I think it is this product, specifically: http://www.peoplesoftpages.com/installation-of-peoplesoft-bi-publisher-xml-publisher/

I will get with this user and see if there is any way to run this script outside of word and not using a macro.  I am in agreement with you that this type of word behavior is frowned upon and should be discouraged.  Especially in light of all the attack vectors that take place using these sort of external commands via macros.

-Robbie

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.