Tool that scans office software for vulnerabilities finds almost 100 in Word and Acrobat

Security researchers have developed a tool to scan popular office software for security vulnerabilities, and have already found more than 100 vulnerabilities across Microsoft Word, Adobe Acrobat and Foxit Reader.

The tool, known as Cooper, approaches vulnerability scanning by looking at the way in which office software integrates programming languages like JavaScript and Python to perform automated functions such as file manipulation.

The research co-authored by Peng Xu, Yanhao Wang, Hong Hu, and Purui Su from the School of Cyber Security at the University of Chinese Academy of Sciences, introduced the tool and highlights vulnerabilities caused by the interaction of high and low-level languages.

In a research paper detailing the Cooper tool, the researchers said a ‘binding layer’ is required to essentially translate the script’s actions, written in the high-level languages such as JavaScript and Python, into code that can be interpreted by low-level languages (C/C++) used to implement the script’s actions into the software itself.

This binding layer is prone to producing inconsistent representations of the scripts and can sometimes also overlook crucial security checks, leading to “severe security vulnerabilities” being found in the software.

After running Cooper on Adobe Acrobat, Microsoft Word, and Foxit Reader, the researchers were able to find a total of 134 novel bugs – 60 for Adobe Acrobat, 56 in Foxit Reader, and 18 in Microsoft Word.

Most of the bugs found by Cooper as part of the research (103) have been confirmed and 59 of them have been fixed already, netting the researchers $22,000 in bug bounties.

A total of 33 CVEs (official, trackable vulnerability codes) have been issued too, including CVE-2021-21028 and CVE-2021-21035 - a pair of bugs in Adobe Acrobat each with an 8.8 rating on the CVSSv3 severity scale.

The researchers used fuzzing to test for vulnerabilities in the programmes – a technique commonly used in such research and involves randomly generating a large number of inputs which are fed into the programme to highlight behavioural anomalies, the researchers said.

There were limitations to using the technique, and the researchers developed “novel techniques”: object clustering, statistical relationship inference, and relationship-guided mutation to address these.

The limitations of fuzzing lie in the way in which it explores the mutation of code. Fuzzing is one-dimensional, in that it modifies statements from the high-level code only, but binding statements receives inputs from two dimensions – the high-level code in the scripts and the low-level code in the underlying system.

This restriction means every bug in the binding code cannot be discovered in just one dimension.

This was evidenced by the researchers who used the existing Domato JavaScript fuzzer in the experiment too, which found markedly fewer bugs that Cooper.

The researchers plan to release the open source code for Cooper via their GitHub page so the community can help build it out and further improve the security of binding layers.