Mimecast Discovers MPP Bleed, a Microsoft Project Vulnerability

Editor’s note: Thanks to Mimecast Research Labs’ Dor Zvi for this discovery.

What happens when you combine sophisticated anti-phishing attachment inspection, static file analysis, machine executable code in data files, customer reports of a potential false positive, and a project management application?

The discovery of a newly-patched vulnerability with Microsoft Project: Mimecast Research Labs has uncovered a new vulnerability affecting Microsoft Project, project management software included in Microsoft Office since 2010 and Microsoft 365. There are about

With MPP Bleed, Mimecast security researchers determined that there were executable code fragments in what should be a data only file, .MPP. This discovery is similar to two recent Mimecast discoveries: MDB Leaker, a memory leak that affected the Microsoft Access database, as well as CVE-2019-0560, a vulnerability that created the widespread, unintended leakage of sensitive information in millions of previously created Office files.

To exploit the vulnerability a malicious actor only needs to get a hold of .MPP files that were saved with an unpatched version of Microsoft Project. An attacker who successfully exploits this vulnerability could obtain information to further compromise the user’s system or to access sensitive, private information stored in the file (that had previously been in memory) such as graphics, text, or other metadata.  Fortunately, as of the time of this writing, there are no known exploits of CVE-2020-1322.

How Mimecast Research Labs Discovered MPP Bleed

You may be wondering how researchers discovered this leak. On a regular basis, Mimecast receives reports of potential false positive detections of phishing attacks from customers, which sometimes include files suspected to be malicious. Recently, Mimecast Research Labs was investigating what was thought to be an ordinary false positive malware detection claim from an email security customer. Upon deeper investigation, the purported false positive malware file appeared to have a fragment of executable code stored within a file saved in Microsoft Project. Having executable code in a data file is a typical indicator of a malicious file.

While this may seem benign, it can potentially have serious ramifications, as any user creating, editing or saving even a simple Microsoft Project file may unknowingly disclose sensitive information if the file falls into the wrong hands or is outside the control of the organization. For example, the .MPP file could contain text, graphs, financial information, notes, images, or even database information, and would potentially disclose that information to a malicious actor. In other words, this is the type of data leakage hypothetically could be useful to cybercriminals for executing an attack or to steal sensitive information.

Unfortunately, what is disclosed as a result of this vulnerability is random, causing difficulty in reproducing the executable code in a given Project file. This randomness demonstrates how severe this vulnerability could be, since researchers cannot predict what kinds of information could be saved. However, fortunately for Microsoft Project users, the memory leak is specific to Project only – the memory leak does not impact any other Microsoft Office products. The behavior was observed in Microsoft Project 2016, although it can impact Microsoft Project I Microsoft 365 as well.

The Bottom Line

Diligent investigations, even of false positives, can lead to important security discoveries. This kind of research validates the importance of using a wide number and variety of malware detection engines, as in this case as in others the vulnerability has been missed by the industry for many years.

As mentioned, as of the time of this writing, there are no known exploits of CVE-2020-1322. However, Microsoft Research Labs urges all users of Microsoft Project to implement the patch, and follow the security best practices outlined below. Once the patch is applied, those patched systems should no longer be vulnerable to this information leak vulnerability.

But what about the millions of Project files that have been created to date by vulnerable Microsoft Project versions that now have random bits of potentially sensitive information in them? If these files are currently available on the public internet, they would be available for harvesting and analysis by anyone. Microsoft Research Labs suggests removing them or resaving them with a patched version of Microsoft Project.

Further security advice:

• Use an email security system with sophisticated malware detection capabilities which includes both static file analysis as well as sandboxing to filter malicious files from entering the organization as well as sensitive content from leaving.
• Regularly monitor and install patches and updates to your IT systems and applications for security vulnerabilities as they are provided by the IT vendor.
• Monitor network traffic for connections to likely command-and-control services and for the exfiltration of potentially sensitive files.