IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Tool that scans office software for vulnerabilities finds almost 100 in Word and Acrobat

Myriad flaws in Microsoft Word, Adobe Acrobat, and Foxit Reader were discovered as part of the research project that netted $22,000 in bug bounty rewards

Security researchers have developed a tool to scan popular office software for security vulnerabilities, and have already found more than 100 vulnerabilities across Microsoft Word, Adobe Acrobat and Foxit Reader.

The tool, known as Cooper, approaches vulnerability scanning by looking at the way in which office software integrates programming languages like JavaScript and Python to perform automated functions such as file manipulation.

The research co-authored by Peng Xu, Yanhao Wang, Hong Hu, and Purui Su from the School of Cyber Security at the University of Chinese Academy of Sciences, introduced the tool and highlights vulnerabilities caused by the interaction of high and low-level languages.

In a research paper detailing the Cooper tool, the researchers said a ‘binding layer’ is required to essentially translate the script’s actions, written in the high-level languages such as JavaScript and Python, into code that can be interpreted by low-level languages (C/C++) used to implement the script’s actions into the software itself.

This binding layer is prone to producing inconsistent representations of the scripts and can sometimes also overlook crucial security checks, leading to “severe security vulnerabilities” being found in the software.

After running Cooper on Adobe Acrobat, Microsoft Word, and Foxit Reader, the researchers were able to find a total of 134 novel bugs – 60 for Adobe Acrobat, 56 in Foxit Reader, and 18 in Microsoft Word.

Most of the bugs found by Cooper as part of the research (103) have been confirmed and 59 of them have been fixed already, netting the researchers $22,000 in bug bounties.

A total of 33 CVEs (official, trackable vulnerability codes) have been issued too, including CVE-2021-21028 and CVE-2021-21035 - a pair of bugs in Adobe Acrobat each with an 8.8 rating on the CVSSv3 severity scale.

The researchers used fuzzing to test for vulnerabilities in the programmes – a technique commonly used in such research and involves randomly generating a large number of inputs which are fed into the programme to highlight behavioural anomalies, the researchers said. 

There were limitations to using the technique, and the researchers developed “novel techniques”: object clustering, statistical relationship inference, and relationship-guided mutation to address these.

Related Resource

The state of brand protection 2021

A new front opens up in the war for brand safety

A log-in screen with a red background - whitepaper from MimecastFree download

The limitations of fuzzing lie in the way in which it explores the mutation of code. Fuzzing is one-dimensional, in that it modifies statements from the high-level code only, but binding statements receives inputs from two dimensions – the high-level code in the scripts and the low-level code in the underlying system.

This restriction means every bug in the binding code cannot be discovered in just one dimension.

This was evidenced by the researchers who used the existing Domato JavaScript fuzzer in the experiment too, which found markedly fewer bugs that Cooper.

The researchers plan to release the open source code for Cooper via their GitHub page so the community can help build it out and further improve the security of binding layers.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Most Popular

Why convenience is the biggest threat to your security

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Microsoft successfully tests emission-free hydrogen fuel cell system for data centres
data centres

Microsoft successfully tests emission-free hydrogen fuel cell system for data centres

29 Jul 2022