Recently there have been a number of reports of RTF exploits using a new trick of embedding OpenXML exploits to create a multi-exploit master key to cover a number of recent patched exploits in one RTF with low AV detection. In particular the file tweeted on March 29 by @botherder got our attention and was covered by Mcafee and Bluecoat.
Original filename: aircanada_eticket_820910108.doc
While superficially within the RTF component, there is the use of CVE-2010-3333, there is also an Open XML (docx) file exploiting CVE-2012-1856, and an embedded Tiff exploiting CVE-2013-3906. AV detection of the most obvious, and old, CVE-2010-3333 can be misleading when assuming you're patched against this threat.
RTF content with embedded OpenXML (zip header):
OpenXML embedded content and CVE-2012-1856 ActiveX files:
CVE-2012-1856 classID referenced in activeXNN.xml files:
RTF Start of CVE-2013-3906 Tiff referenced as a jpeg:
We quietly added support for OpenXML (docx etc) in RTF a couple weeks
ago to Cryptam, but are just now getting the word out. Our testing has
shown most of the embedded OpenXML files are likely manually created as
their magic numbers tend to match a regular Zip as opposed to a properly
generated OpenXML file. Both the Cryptam web suite and command line
versions now process Embedded OpenXML files to automatically extract and
scan. To accommodate handling of corrupt zip information by the
built-in zip support, we now use an external zip command.
free on our website.