IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Tool that scans office software for vulnerabilities finds almost 100 in Word and Acrobat

Myriad flaws in Microsoft Word, Adobe Acrobat, and Foxit Reader were discovered as part of the research project that netted $22,000 in bug bounty rewards

Security researchers have developed a tool to scan popular office software for security vulnerabilities, and have already found more than 100 vulnerabilities across Microsoft Word, Adobe Acrobat and Foxit Reader.

The tool, known as Cooper, approaches vulnerability scanning by looking at the way in which office software integrates programming languages like JavaScript and Python to perform automated functions such as file manipulation.

The research co-authored by Peng Xu, Yanhao Wang, Hong Hu, and Purui Su from the School of Cyber Security at the University of Chinese Academy of Sciences, introduced the tool and highlights vulnerabilities caused by the interaction of high and low-level languages.

In a research paper detailing the Cooper tool, the researchers said a ‘binding layer’ is required to essentially translate the script’s actions, written in the high-level languages such as JavaScript and Python, into code that can be interpreted by low-level languages (C/C++) used to implement the script’s actions into the software itself.

This binding layer is prone to producing inconsistent representations of the scripts and can sometimes also overlook crucial security checks, leading to “severe security vulnerabilities” being found in the software.

After running Cooper on Adobe Acrobat, Microsoft Word, and Foxit Reader, the researchers were able to find a total of 134 novel bugs – 60 for Adobe Acrobat, 56 in Foxit Reader, and 18 in Microsoft Word.

Most of the bugs found by Cooper as part of the research (103) have been confirmed and 59 of them have been fixed already, netting the researchers $22,000 in bug bounties.

A total of 33 CVEs (official, trackable vulnerability codes) have been issued too, including CVE-2021-21028 and CVE-2021-21035 - a pair of bugs in Adobe Acrobat each with an 8.8 rating on the CVSSv3 severity scale.

The researchers used fuzzing to test for vulnerabilities in the programmes – a technique commonly used in such research and involves randomly generating a large number of inputs which are fed into the programme to highlight behavioural anomalies, the researchers said. 

There were limitations to using the technique, and the researchers developed “novel techniques”: object clustering, statistical relationship inference, and relationship-guided mutation to address these.

Related Resource

The state of brand protection 2021

A new front opens up in the war for brand safety

A log-in screen with a red background - whitepaper from MimecastFree download

The limitations of fuzzing lie in the way in which it explores the mutation of code. Fuzzing is one-dimensional, in that it modifies statements from the high-level code only, but binding statements receives inputs from two dimensions – the high-level code in the scripts and the low-level code in the underlying system.

This restriction means every bug in the binding code cannot be discovered in just one dimension.

This was evidenced by the researchers who used the existing Domato JavaScript fuzzer in the experiment too, which found markedly fewer bugs that Cooper.

The researchers plan to release the open source code for Cooper via their GitHub page so the community can help build it out and further improve the security of binding layers.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers
ransomware

Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers

26 May 2022