After a year-long focus on another project - an innovative initiative aimed at discovering bugs in rich, UI-heavy closed-source software like Microsoft Office applications through large-scale, code-coverage-based fuzzing (resulting in 26 valid CVEs in Office) - I’ve finally had the chance to update the EXPMON Public system.
Let me explain briefly why this major update is necessary.
When we talk about exploits or vulnerabilities, it’s crucial to specify the "environment" - the software and its specific version that the exploit targets (sometimes, this also includes the particular configuration of the software environment or hardware). Without specifying the environment, discussing an exploit or vulnerability is meaningless. For example, a Microsoft Office .docx Word exploit may pose no harm when opened in LibreOffice. This is the core concept behind the EXPMON project: the "environment-binding" approach to analyzing software behaviors.
After opening up the system for public for more than 1.5 years (in addition to the public online version, I also have EXPMON instances running in my lab, which has been quite helpful for analyzing and understanding software), it’s time to update the system to reflect the fact that some of the environments are now outdated.
For example, the EXPMON system previously included an Office 2010 environment, which is now very outdated. The goal of the public version of EXPMON is to help users detect potential modern, advanced, or zero-day exploits, so maintaining the Office 2010 environment is no longer necessary. As a result, this update has removed all Office 2010 virtual machines. Consequently, you may notice that an Office 2010 exploit sample might now be marked as "Undetected", as EXPMON Public now only supports modern versions of Office.
(Also please note that this update is partly a resource-saving consideration. Since the EXPMON system is configurable, we can always bring back the Office 2010 environment if needed.)
Another major update is the addition of alternative office suites, in response to their growing popularity - particularly the open-source LibreOffice and the WPS Office Suite. In fact, a significant portion of the work in this major update was focused on bringing these new software environments into the EXPMON system.
In the last year or so, I've read some information regarding advanced zero-day exploits or vulnerabilities in the LibreOffice and WPS apps. For example, this article details two very interesting vulnerabilities in LibreOffice, and this is about threat actors have been exploiting WPS zero-days in the wild for quite some time.
Beyond that, I've also added the Mozilla Thunderbird environment as an email client application to open and test .eml samples. This allows us to detect potential email-based (zero-day) exploits not only targeting Microsoft Outlook but also Mozilla Thunderbird users.
Other smaller updates include software version upgrades: I’ve updated the operating system, Office 2021, and Foxit Reader in the VMs.
In summary, the changes are as follows:
- An Office file sample will now be tested in three environments: Office 2021, LibreOffice, and WPS Office, compared to the previous testing of only Office 2021 and Office 2010.
- A PDF sample will now be tested in three environments: Acrobat Reader, Foxit Reader, and the PDF app in WPS Office, compared to the previous testing of only Acrobat Reader and Foxit Reader.
- An .eml email sample will now be tested in two environments: Microsoft Outlook and Mozilla Thunderbird, compared to the previous testing of only Microsoft Outlook.
You can find all the detailed environment specifications at https://pub.expmon.com/static/system/supported_filetype_apps.txt.
With these major updates, the EXPMON Public system is now capable of monitoring and analyzing potential zero-day exploit threats targeting modern Microsoft Office, LibreOffice, WPS Office, as well as Acrobat Reader, Foxit Reader, and Thunderbird - all with deep & retrospective Big Data Analytics supports.
That’s it! If you're interested, feel free to test it out at https://pub.expmon.com.
And of course, if you have ideas for collaborations (e.g., if you have a bulk of samples and want to check for potential zero-day exploits), or if you’d like to see EXPMON support additional applications or file formats, please contact me or email me at contact@expmon.com.