What is Object Linking and Embedding Malware?
Object Linking and Embedding (OLE) allows users to create and edit documents that contain objects created by different applications. OLE technology gives users the ability to create compound documents that support a host of software applications, such as Microsoft Windows applications, Corel WordPerfect, Adobe Acrobat, AutoCAD, and multimedia applications.1 As an example, objects such as bitmap images, sound clips, spreadsheet files, and other objects can be embedded into Microsoft Word document with OLE technology. The term “object linking and embedding” comes from these two types of actions for creating compound documents:
Linking. Linking adds a link in a document that points to source data stored somewhere else. Linked objects are stored in the document as a path to the original linked data, usually a separate file from the container document.
Embedding. Embedding adds one document directly to the other. Embedded objects are stored with the document that contains them.
OLE technology has routinely been leveraged by cyberattackers for a variety of purposes, including masking malicious codes within documents and linking to external files that infect systems with malware. In 2020 the Cybersecurity and Infrastructure Security Agency (CISA) identified Microsoft’s OLE technology as the most exploited vulnerability amongst state-sponsored cyber actors2:
“According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. … Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia … are related to Microsoft’s OLE technology.”
With increased adoption of remote working, platforms such as Microsoft’s Office Suite, which allows for content collaboration, are frequently shared amongst team members. This collaborative work environment can leave networks vulnerable to OLE malware attacks.
One example of an OLE malware attack involves Microsoft Rich Text Format (RTF). RTF is heavily used in email attachments in phishing attacks; its wide adoption is primarily attributed to the fact that it has an ability to contain a wide variety of exploits and can be used efficiently as a delivery mechanism to target victims. Microsoft RTF files can embed various forms of object types either to exploit the parsing vulnerabilities or to aid further exploitation. The OLE feature in RTF files is largely abused to either link the RTF document to external malicious code or to embed other file format exploits within itself and use it as the exploit container.
To protect yourself from OLE malware, be sure that your applications are always promptly updated and patched.
1 Votiro, 2020, “How Positive Selection Technology Solves OLE Vulnerabilities”
2 CISA, 2020, “Top 10 Routinely Exploited Vulnerabilities”