Researchers have disclosed a previously unknown vulnerability in Microsoft Word that criminals have been exploiting in the wild. The Office security exploit could be used to install malware even on fully patched systems. Security researchers said that unlike macro hacks that Office warns against, these attacks are difficult to detect.
Critical Office security vulnerability exploited in attacks
The Office security bug relies on infected Word documents. When a user opens this infected document, the vulnerability is triggered which then downloads malicious HTML applications disguised as make-believe RTF files. Once executed, the HTML application connects to a remote server and runs a custom script designed to install malware. This security exploit is a zero-day bug that is yet to be patched by Microsoft.
Researchers at McAfee wrote that the attack vector makes it difficult to prevent potential attacks. FireEye also added that the vulnerability is bypassing most mitigations. They explained the attack vector:
The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.
The exploit was first reported by researchers at McAfee which was quickly followed by a report by FireEye. The latter said it had shared the details of the Office security exploit with Microsoft and had been withholding details for the company to be able to deliver a patch before going public with the information.
Both firms agreed that the issue relates to the Windows Object Linking and Embedding (OLE) function, which allows an application to link and embed content to other documents. The feature has been exploited numerous times over the past few years. The vulnerability was first observed in January and the firms continue to spot new attacks leveraging it.
The security companies said that all Office versions are affected by this issue, including Office 2016 on Windows 10. Microsoft has confirmed it will send a patch tomorrow on Patch Tuesday. Until you get a patch, McAfee advises users to enable Office Protected View mode and, of course, do not open any Office files from untrusted sources.
