Security Experts:

Connect with us

Hi, what are you looking for?



Year-Old Office Vulnerabilities Most Popular in Current Attacks

Most attacks that are targeting vulnerabilities in Microsoft Office to compromise victims’ systems are currently leveraging two security issues that were discovered last year, SophosLabs researchers warn.

Most attacks that are targeting vulnerabilities in Microsoft Office to compromise victims’ systems are currently leveraging two security issues that were discovered last year, SophosLabs researchers warn.

Over the past several weeks, CVE-2015-1641 and CVE-2015-2545 have emerged as the most popular Office exploits out there, dethroning CVE-2012-0158, a four-year old vulnerability that experts suggested might be called “the bug that just won’t die.” Still leveraged in many attacks, the bug fuels only a small percentage of them now, although it was abused in approxiately half of incidents in Q4 2015.

According to a new report from SophosLabs, CVE-2015-1641 now accounts for nearly 66% of attacks, although it has been on the charts for only several months, while CVE-2015-2545 fuels around 17% of attacks after recently entering the cybercrime stage and making a sudden impact. CVE-2012-0158 is now the third most popular Office exploit, leveraged in less than 12% of attacks.

The switch to newer exploits isn’t surprising, because users gradually patch older security flaws and attacks are no longer as successful. What might be surprising is that cybercriminals stayed with CVE-2012-0158 for so long and that they suddenly moved to a new vulnerability.

SophosLabs researchers, however, say that this makes perfect sense. Cybercriminals “rely on the availability of published exploit kits. As such, until these kits utilize the newer exploit code, the criminals typically do not incorporate them downstream.”

Thus, the sudden shift in exploit usage is attributed to the most widely used AK-1 kit being upgraded to AK-2, which dropped the older flaw to the newer, more impactful CVE-2015-1641, and to Microsoft Word Intruder (MWI), another popular crimeware kit, also adding support for the newer vulnerability. Additionally, the cybercriminal groups that actively distributed FareIt and Zbot are believed to have switched from the DL-2 exploit kit to a solution using the CVE-2015-2545 exploit.

The inclusion of CVE-2015-1641 in AK-2 happened a while ago, but its availability in MWI is something new, SophosLabs’ report suggests. The kit was recently updated with some other functionality as well, including decoy documents, which are displayed before triggering the exploit. The typical payloads in the malicious documents created with it include the Zeus and Fareit Trojans, NetWiredRC and Nanocore backdoors, PredatorPain keylogger and the LuminosityLink RAT, researchers say.

The CVE-2015-2545 vulnerability started its lifecycle as many other Office exploits do: high-end APT groups were using it at the 0-day stage, before an official patch was released for it. This remote code execution flaw was abused by an APT group dubbed Platinum and TwoForOne before Microsoft released a patch in September 2015. However, other groups started using it after the patch, including EvilPost and APT16, as well as NetTraveler.

According to Sophos, from a criminal’s point of view, CVE-2015-2545 and CVE-2015-1641 appear as good replacements for the CVE-2012-0158 exploit, especially since the latter is already included in MWI and AK-2 exploit kits.

“We can expect that more cybercrime groups will discover this possibility, and we will see an increase in the use of the new Office exploits in the general user base,” SophosLabs’ Gabor Szappanos says. “The good news is that both vulnerabilities have long been fixed and patches are available. Time to install those Office security updates!”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet