NEWS FROM THE LAB - Friday, April 4, 2014

DeepGuard 5 vs. Word RTF Zero-Day CVE-2014-1761 Posted by Timo @ 21:36 GMT

Now that we got our hands on a sample of the latest Word zero-day exploit (CVE-2014-1761), we can finally address a frequently asked question: does F-Secure protect against this threat? To find out the answer, I opened the exploit on a system protected with F-Secure Internet Security 2014, and here's the result:

DeepGuard 5 blocking CVE-2014-1761 exploit

Our Internet Security 2014 blocked the threat using the exploit interception feature introduced in DeepGuard version 5. And the best part is we didn't need to add or modify anything — the zero-day was blocked by the exact same detection that was already included in the initial release of DeepGuard 5 in June 2013. This means that our users were protected against this threat long before we even got a sample, and also several months before the attack was reported by Microsoft. DeepGuard 5 shows the power of proactive, behavior based protection again (and again).

Microsoft will release a patch for the vulnerability on Tuesday April 8, 2014. In the meantime, you should check the mitigations and workarounds Microsoft recommends.

We have also added a generic detection Exploit:W32/CVE-2014-1761.A to detect the exploit before the document is opened.

Exploit SHA1: 200f7930de8d44fc2b00516f79033408ca39d610

Post by — Timo

Updated to add on April 7th:

Here's a brief video demonstration.