{"id":5876,"date":"2019-04-17T14:59:09","date_gmt":"2019-04-17T11:59:09","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=5876"},"modified":"2022-05-05T14:25:21","modified_gmt":"2022-05-05T11:25:21","slug":"ms-office-vulnerabilities-sas-2019","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/ms-office-vulnerabilities-sas-2019\/5876\/","title":{"rendered":"Microsoft Office ve sistem a\u00e7\u0131klar\u0131"},"content":{"rendered":"

SAS 2019 konferans\u0131ndaki konu\u015fmalardan baz\u0131lar\u0131nda konu geli\u015fmi\u015f APT sald\u0131r\u0131lar\u0131 de\u011fil, k\u00f6t\u00fcc\u00fcl yaz\u0131l\u0131mla m\u00fccadele eden ara\u015ft\u0131rmac\u0131lar\u0131m\u0131z\u0131n g\u00fcnl\u00fck i\u015f rutiniydi. Uzmanlar\u0131m\u0131z Boris Larin, Vlad Stolyarov ve Alexander Liskin \u201cMS Office\u2019e yap\u0131lan \u00e7ok katmanl\u0131 s\u0131f\u0131r g\u00fcn sald\u0131r\u0131lar\u0131n\u0131 yakalama\u201d ba\u015fl\u0131kl\u0131 bir \u00e7al\u0131\u015fma haz\u0131rlad\u0131lar. Bu \u00e7al\u0131\u015fman\u0131n ba\u015fl\u0131ca odak noktas\u0131 k\u00f6t\u00fcc\u00fcl yaz\u0131l\u0131m analizinde yararland\u0131klar\u0131 ara\u00e7lard\u0131 ama ayn\u0131 zamanda bug\u00fcnk\u00fc Microsoft Office tehdit manzaras\u0131na da dikkat \u00e7ektiler.<\/p>\n

Tehdit manzaras\u0131nda sadece iki y\u0131l i\u00e7inde meydana gelen de\u011fi\u015fiklikler dikkat \u00e7ekicidir. Uzmanlar\u0131m\u0131z ge\u00e7en y\u0131l\u0131n sonundan bu yana sald\u0131r\u0131ya u\u011frayan kullan\u0131c\u0131lar\u0131n hedeflenen platformlara g\u00f6re da\u011f\u0131l\u0131m\u0131n\u0131 sadece iki y\u0131l \u00f6nceki durumla k\u0131yaslad\u0131. Siber su\u00e7lular\u0131n web tabanl\u0131 sistem a\u00e7\u0131klar\u0131 yerine MS Office\u2019teki sistem a\u00e7\u0131klar\u0131na y\u00f6nelmi\u015f olduklar\u0131n\u0131 tespit ettiler ama bu de\u011fi\u015fim onlar\u0131 bile \u015fa\u015f\u0131rtacak boyuttayd\u0131: Son birka\u00e7 ayda, sald\u0131r\u0131lardan %70\u2019ten fazla oranda pay alan MS Office en \u00e7ok hedeflenen platform oldu.<\/p>\n

\"\"<\/p>\n

Ge\u00e7en y\u0131ldan bu yana, MS Office\u2019te birtak\u0131m s\u0131f\u0131r g\u00fcn sald\u0131r\u0131lar\u0131 ortaya \u00e7\u0131kmaya ba\u015flad\u0131. Bunlar genellikle hedefe y\u00f6nelik sald\u0131r\u0131 olarak ba\u015flasa da en sonunda a\u00e7\u0131\u011fa \u00e7\u0131kar ve k\u00f6t\u00fc ama\u00e7l\u0131 bir belge olu\u015fturucuyla b\u00fct\u00fcnle\u015fir. Ancak geri d\u00f6n\u00fc\u015f s\u00fcresi \u00f6nemli oranda k\u0131salm\u0131\u015ft\u0131r. \u00d6rne\u011fin, denklem d\u00fczenleyicide uzman\u0131m\u0131z\u0131n g\u00f6rd\u00fc\u011f\u00fc ilk sistem a\u00e7\u0131\u011f\u0131 olan CVE-2017-11882 vakas\u0131nda, kavram kan\u0131t\u0131n\u0131n yay\u0131nland\u0131\u011f\u0131 g\u00fcnle ayn\u0131 tarihte devasa bir spam sald\u0131r\u0131s\u0131 ba\u015flat\u0131ld\u0131. Bu durum di\u011fer sistem a\u00e7\u0131klar\u0131 i\u00e7in de ge\u00e7erlidir. Bir sistem a\u00e7\u0131\u011f\u0131na dair teknik rapor yay\u0131nland\u0131\u011f\u0131 anda, ona dair bir istismar\u0131n kara borsaya d\u00fc\u015fmesi an meselesi olur. Yaz\u0131l\u0131m hatalar\u0131 ise daha az karma\u015f\u0131k hale gelmi\u015ftir ve bazen de detayl\u0131 bir rapor bir siber su\u00e7lunun i\u015fe yarar bir sald\u0131r\u0131 haz\u0131rlamas\u0131na yeter de artar.<\/p>\n

2018\u2019de en \u00e7ok istismar edilen sistem a\u00e7\u0131klar\u0131na g\u00f6z atarsak a\u00e7\u0131k\u00e7a g\u00f6r\u00fcr\u00fcz ki: K\u00f6t\u00fcc\u00fcl yaz\u0131l\u0131m yazanlar basit ve mant\u0131ksal yaz\u0131l\u0131m hatalar\u0131n\u0131 tercih eder. \u0130\u015fte bu nedenle CVE-2017-11882 ve CVE-2018-0802 numaras\u0131 denklem d\u00fczenleyicisi a\u00e7\u0131klar\u0131 MS Office\u2019te en \u00e7ok istismar edilen yaz\u0131l\u0131m hatalar\u0131 olmu\u015ftur. Basit ifadeyle, g\u00fcvenilirdirler ve son 17 y\u0131l i\u00e7inde piyasaya \u00e7\u0131kan Word s\u00fcr\u00fcmlerinin tamam\u0131nda i\u015fe yararlar. Ve en \u00f6nemlisi de, bunlar\u0131n herhangi birinden yararlanmak i\u00e7in geli\u015fmi\u015f beceriler gerekmez. Bu nedenle denklem d\u00fczenleyici ikililerinde 2018\u2019deki bir uygulamada olmas\u0131 muhtemel modern koruyucular\u0131n ve hafifleticilerin hi\u00e7biri yoktu.<\/p>\n

\u0130lgin\u00e7 bir yan bilgi: En \u00e7ok istismar edilen sistem a\u00e7\u0131klar\u0131n\u0131n hi\u00e7biri MS Office\u2019in kendi b\u00fcnyesinde de\u011fildir. Bu sistem a\u00e7\u0131klar\u0131 daha \u00e7ok ilgili bile\u015fenlerde mevcuttur.<\/p>\n

Neden s\u00fcrekli b\u00f6yle \u015feyler olur?<\/h3>\n

MS Office dikkate al\u0131nacak bir\u00e7ok karma\u015f\u0131k dosya format\u0131n\u0131n oldu\u011fu \u00e7ok b\u00fcy\u00fck bir sald\u0131r\u0131 y\u00fczeyine sahip olman\u0131n yan\u0131nda Windows ile b\u00fct\u00fcnle\u015fik ve birlikte \u00e7al\u0131\u015fan bir program. Ve g\u00fcvenlik a\u00e7\u0131s\u0131ndan en \u00f6nemlisi de, Microsoft\u2019un Office\u2019i geli\u015ftirirken verdi\u011fi kararlar\u0131n \u00e7o\u011fu \u015fimdi g\u00f6ze pek do\u011fru g\u00f6r\u00fcnm\u00fcyor ama onlar\u0131 de\u011fi\u015ftirmek de geriye do\u011fru uyumlulu\u011fa b\u00fcy\u00fck zarar verir.<\/p>\n

Sadece 2018\u2019de, halihaz\u0131rda istismar edilen \u00e7ok say\u0131da s\u0131f\u0131r g\u00fcn sistem a\u00e7\u0131\u011f\u0131 bulduk. Bunlardan biri CVE-2018-8174 (the Windows VBScript Engine Remote Code Execution Vulnerability)<\/a>. Bu sistem a\u00e7\u0131\u011f\u0131 \u00f6zellikle ilgi \u00e7ekicidir \u00e7\u00fcnk\u00fc sistem a\u00e7\u0131\u011f\u0131 asl\u0131nda Internet Explorer\u2019da olmas\u0131na ra\u011fmen istismar bir Word belgesinde g\u00f6r\u00fclm\u00fc\u015ft\u00fcr. Ayr\u0131nt\u0131lar i\u00e7in bu Securelist<\/a> makalesini inceleyebilirsiniz.<\/p>\n

Sistem a\u00e7\u0131klar\u0131n\u0131 nas\u0131l buluyoruz<\/h3>\n

Kaspersky\u2019nin u\u00e7 noktalar i\u00e7in g\u00fcvenlik \u00fcr\u00fcnlerinde<\/a> MS Office belgeleri arac\u0131l\u0131\u011f\u0131yla yay\u0131lan tehditlerin tespit edilmesi i\u00e7in \u00e7ok geli\u015fmi\u015f sezgisel becerileri var. Bu \u00f6zellik tespitin ilk katmanlar\u0131ndan biridir. Sezgisel motor belgelerde kullan\u0131lan t\u00fcm dosya formatlar\u0131n\u0131 ve gizleme y\u00f6ntemlerini tan\u0131r ve ilk savunma hatt\u0131 g\u00f6revini g\u00f6r\u00fcr. Ama k\u00f6t\u00fc ama\u00e7l\u0131 bir obje buldu\u011fumuz zaman sadece bunun tehlikeli oldu\u011funu belirlemekte kalmay\u0131z. Obje ayn\u0131 zamanda ilave g\u00fcvenlik katmanlar\u0131ndan ge\u00e7er. \u00d6zellikle ba\u015far\u0131l\u0131 bulunan teknolojilerden biri, \u00f6rne\u011fin, kum havuzudur.<\/p>\n

Kum havuzlar\u0131 bilgi g\u00fcvenli\u011fi alan\u0131nda g\u00fcvenli olmayan bir ortam\u0131 g\u00fcvenli olandan izole etmede, ya da tam tersi ama\u00e7la, sistem a\u00e7\u0131klar\u0131n\u0131n istismar edilmesinin \u00f6n\u00fcne ge\u00e7mede ve k\u00f6t\u00fc ama\u00e7l\u0131 kodlar\u0131 analiz etmede kullan\u0131l\u0131r. Bizim i\u00e7in kum havuzu \u015f\u00fcpheli bir objeyi \u00e7ok \u00f6zellikli bir OS\u2019nin oldu\u011fu sanal bir makinede \u00e7al\u0131\u015ft\u0131ran ve objenin davran\u0131\u015flar\u0131na bakarak k\u00f6t\u00fcc\u00fcl faaliyetini belirleyen bir k\u00f6t\u00fcc\u00fcl yaz\u0131l\u0131m tespit sistemidir. Birka\u00e7 y\u0131l \u00f6nce kendi altyap\u0131m\u0131zda kullan\u0131lmak \u00fczere tasarland\u0131 ve sonra da Kaspersky Anti Targeted Attack Platform<\/a> dahil oldu.<\/p>\n

Microsoft Office sald\u0131rganlar i\u00e7in \u00e7ekici bir hedeftir ve \u00f6yle de kalacakt\u0131r. Sald\u0131rg\u0131nlar en kolay hedefleri se\u00e7er ve miras \u00f6zellikler de istismar edilir. Bu y\u00fczden firman\u0131z\u0131 koruman\u0131z i\u00e7in \u00e7ok say\u0131da CVE\u2019yi tespit ederek etkinliklerini \u00e7oktan kan\u0131tlam\u0131\u015f olan \u00e7\u00f6z\u00fcmleri kullanman\u0131z\u0131 \u00f6neririz.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Microsoft Office tehdit manzaras\u0131 ve konuyla ilgili s\u0131f\u0131r g\u00fcn istismarlar\u0131n\u0131 fark etmemizi sa\u011flayan teknolojiler SAS 2019 konferans\u0131ndaki bu konu\u015fman\u0131n oda\u011f\u0131ndayd\u0131.<\/p>\n","protected":false},"author":2706,"featured_media":5877,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1194,1727],"tags":[1887,1912,1911,337,1908,1913,877],"class_list":{"0":"post-5876","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-thesas2019","10":"tag-office","11":"tag-ofis","12":"tag-sas","13":"tag-sas-2019","14":"tag-security-analysy-summit","15":"tag-sistem-aciklari"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/ms-office-vulnerabilities-sas-2019\/5876\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/ms-office-vulnerabilities-sas-2019\/15601\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/ms-office-vulnerabilities-sas-2019\/13145\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/ms-office-vulnerabilities-sas-2019\/17521\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/ms-office-vulnerabilities-sas-2019\/15670\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/ms-office-vulnerabilities-sas-2019\/14369\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/ms-office-vulnerabilities-sas-2019\/18244\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/ms-office-vulnerabilities-sas-2019\/17173\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/ms-office-vulnerabilities-sas-2019\/22603\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/ms-office-vulnerabilities-sas-2019\/26415\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/ms-office-vulnerabilities-sas-2019-2\/11601\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/ms-office-vulnerabilities-sas-2019\/11676\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/ms-office-vulnerabilities-sas-2019\/10600\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/ms-office-vulnerabilities-sas-2019\/19022\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/ms-office-vulnerabilities-sas-2019\/23042\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/ms-office-vulnerabilities-sas-2019\/18258\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/ms-office-vulnerabilities-sas-2019\/22452\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/ms-office-vulnerabilities-sas-2019\/22389\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/sas\/","name":"SAS"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/5876","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=5876"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/5876\/revisions"}],"predecessor-version":[{"id":6803,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/5876\/revisions\/6803"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/5877"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=5876"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=5876"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=5876"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}