IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Tool that scans office software for vulnerabilities finds almost 100 in Word and Acrobat

Myriad flaws in Microsoft Word, Adobe Acrobat, and Foxit Reader were discovered as part of the research project that netted $22,000 in bug bounty rewards

Security researchers have developed a tool to scan popular office software for security vulnerabilities, and have already found more than 100 vulnerabilities across Microsoft Word, Adobe Acrobat and Foxit Reader.

The tool, known as Cooper, approaches vulnerability scanning by looking at the way in which office software integrates programming languages like JavaScript and Python to perform automated functions such as file manipulation.

The research co-authored by Peng Xu, Yanhao Wang, Hong Hu, and Purui Su from the School of Cyber Security at the University of Chinese Academy of Sciences, introduced the tool and highlights vulnerabilities caused by the interaction of high and low-level languages.

In a research paper detailing the Cooper tool, the researchers said a ‘binding layer’ is required to essentially translate the script’s actions, written in the high-level languages such as JavaScript and Python, into code that can be interpreted by low-level languages (C/C++) used to implement the script’s actions into the software itself.

This binding layer is prone to producing inconsistent representations of the scripts and can sometimes also overlook crucial security checks, leading to “severe security vulnerabilities” being found in the software.

After running Cooper on Adobe Acrobat, Microsoft Word, and Foxit Reader, the researchers were able to find a total of 134 novel bugs – 60 for Adobe Acrobat, 56 in Foxit Reader, and 18 in Microsoft Word.

Most of the bugs found by Cooper as part of the research (103) have been confirmed and 59 of them have been fixed already, netting the researchers $22,000 in bug bounties.

A total of 33 CVEs (official, trackable vulnerability codes) have been issued too, including CVE-2021-21028 and CVE-2021-21035 - a pair of bugs in Adobe Acrobat each with an 8.8 rating on the CVSSv3 severity scale.

The researchers used fuzzing to test for vulnerabilities in the programmes – a technique commonly used in such research and involves randomly generating a large number of inputs which are fed into the programme to highlight behavioural anomalies, the researchers said. 

There were limitations to using the technique, and the researchers developed “novel techniques”: object clustering, statistical relationship inference, and relationship-guided mutation to address these.

Related Resource

The state of brand protection 2021

A new front opens up in the war for brand safety

A log-in screen with a red background - whitepaper from MimecastFree download

The limitations of fuzzing lie in the way in which it explores the mutation of code. Fuzzing is one-dimensional, in that it modifies statements from the high-level code only, but binding statements receives inputs from two dimensions – the high-level code in the scripts and the low-level code in the underlying system.

This restriction means every bug in the binding code cannot be discovered in just one dimension.

This was evidenced by the researchers who used the existing Domato JavaScript fuzzer in the experiment too, which found markedly fewer bugs that Cooper.

The researchers plan to release the open source code for Cooper via their GitHub page so the community can help build it out and further improve the security of binding layers.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
How full-stack observability can accelerate IT innovation
Sponsored

How full-stack observability can accelerate IT innovation

3 May 2022