Hackers are exploiting a vulnerability in Microsoft Word which can be manipulated to install malware on targeted computers, even those computers that are fully patched and up to date. This zero-day attack was discovered by security researchers, FireEye, who made the discovery known to Microsoft.
McAfee also warned its customers and all Office users about the zero-day attack, urging them to take precautions.
“The samples we have detected are organized as Word files (more specially, RTF files with “.doc” extension name). The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. The earliest attack we have seen dates to late January.
The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file. Because .hta is executable, the attacker gains full code execution on the victim’s machine. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft.”
The successful exploit closes the bait Word document, and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim’s system.
The root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office, said McAfee.
Microsoft is working on an official patch this week, but Office users can take the following precautions:
- Do not open any Office files obtained from untrusted locations.
- According to McAfee, this active attack cannot bypass the Office Protected View, so they suggested that everyone ensure that Office Protected View is enabled.