Advisory: Sudden increase in ROP alerts for Office 2013 32-bit Click-to-run Applications an update to Sophos Intercept X and Exploit Prevention

Update – 19/10/18 @ 16:15 BST

Customers are reporting that, following the roll-back process, they are now able to access Office 2013 (32-bit) applications again. Sophos Development is working on a fix to the issue and this will be included in a future release. Any customers with continued issues should please contact support with the information requested below.

Update – 19/10/18 @ 11:45 BST

All affected customers have now been rolled back to the previous version of Intercept X and Exploit Prevention. Therefore they will notice their machines downgrade to the previous version of Intercept X (2.0.8) or Exploit Prevention (3.7.4.756). As mentioned previously, this roll-back will require at least one reboot of the endpoint machines to apply – however it is possible that the machines may require multiple reboots to apply the fix.

Sophos Development continue to look into this issue.

Update – 19/10/18 @ 09:50 BST:

Sophos have decided to roll back the release of Intercept X and Exploit Prevention to limit the impact to customers while investigations continue internally.

This roll-back will require at least one reboot of the endpoint machines to apply – however it is possible that the machines may require multiple reboots to apply the fix.

Customers are reporting an increase in ROP alerts for Office 2013 (32-bit) click-torun applications following an Intercept X / Exploit Prevention update released yesterday 17th October. This results in Office 2013 applications reporting a ‘ROP Exploit Detected’ when they are opened.

This issue only impacts customers who have received the latest Intercept X and Exploit Prevention updates. The affected versions are:

  • Intercept X 2.0.9
  • Exploit Prevention 3.7.10

Both of these versions will list “Build 760” in c:programdatahitmanpro.alertlogssophos.log.

Older versions of Intercept X and Exploit Prevention are not affected.

Sophos is investigating this issue as a priority and will provide updates via this article as they are available

Applies to the following Sophos product(s) and version(s)

Sophos Intercept X

Sophos Exploit Prevention

All affected customers have now been rolled back to the previous version of Intercept X and Exploit Prevention. Therefore they will notice their machines downgrade to the previous version of Intercept X (2.0.8) or Exploit Prevention (3.7.4.756). As mentioned previously This roll-back will require at least one reboot of the endpoint machines to apply – however it is possible that the machines may require multiple reboots to apply the fix.

If you are affected by this issue please could you gather a Sophos Diagnostic Log (KB 33556), then contact Sophos Support

As above all affected customers have now been rolled back to the previous version of Intercept X and Exploit Prevention. Therefore they will notice their machines downgrade to the previous version of Intercept X (2.0.8) or Exploit Prevention (3.7.4.756). As mentioned previously This roll-back will require at least one reboot of the endpoint machines to apply – however it is possible that the machines may require multiple reboots to apply the fix.

In the interim affected customers can work around this issue by disabling protection for office applications by following the below steps:

Sophos Central

The following workaround will work, however for a less invasive workaround, please contact Sophos Support, they can make an adjustment in your Central Dashboard.

  1. Log in to Sophos Central
  2. Navigate to Endpoint Protection > Policies
  3. Open your Threat Prevention policy
  4. Under Runtime Protection untick ‘Protect Office Applications’
  5. Save your changes

Sophos Enterprise Console

  1. Access the Sophos Enterprise Console
  2. Open the Exploit Prevention Policy for the affected machines
  3. Untick ‘CPU Branch Tracing’
  4. Save your changes

Updates will be provided to this article as the investigation continues.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Leave a Reply