Careful opening Word docs: attackers exploit un-patched Office flaw

Microsoft on Tuesday will patch a previously unknown or zero-day attack that is being used in the wild to target Office users with rigged Word documents.

In the meantime, security firm McAfee is warning users not to open Office from untrusted locations after discovering several Word files in the wild that are laced with an exploit for a remote code execution bug in Office.

McAfee researcher Haifei Li said the attack works against Office 2016 on Windows 10 and earlier. The first observed attack was in late January, noted Li.

Recipients of the attack document see a Word file in Microsoft’s Rich Text Format (RTF), however if they open the file the exploit will connect to a remote server and fetch an executable .hta file containing HTLM application content. As Li notes, the .hta executable contains malicious script written in Microsoft’s Visual Basic.

“The successful exploit closes the bait Word document, and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim’s system,” said Li.

He explains that the vulnerability lies in the Windows Object Linking and Embedding (OLE) feature of Office. OLE, which allows an application to embed other documents or objects, was used in 2014 by an advanced persistent threat group known as Sandworm to target government organizations and infrastructure providers in Europe and NATO.

McAfeefound that Microsoft’s Office Protect View sandbox will prevent the attack from working.

“We suggest everyone ensure that Office Protected View is enabled,” said Li.

Li said it had informed Microsoft Security Response Center of the attacks and vulnerability.

McAfee's researchers however weren't the first to report the issue to Microsoft.

In fact, Redmond has known about this issue for several months and will be patching the OLE vulnerability on Tuesday with its usual monthly security update, according to independent security researcher Ryan Hanson.

Rival security firm FireEye on Saturday appeared to take credit for finding the bug in a blog post titled "Acknowledgement of Attacks Leveraging Microsoft Zero Day", in which it said it had worked with Microsoft for "several weeks" but disclosed the issue due to McAfee's blog.

Hanson however says he reported this same bug to Microsoft in October.

"This will be patched on Tuesday, I know this because I disclosed this in October," he wrote.

He's also outlined two methods admins can mitigate this attack. Besides enforcing Protected View, the attack can be blocked by setting "Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles to 2".

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Microsoftpatch managementhtmlpatch securityWindowsofficemcafeecyber securityzero day exploitWindows 10Windows 10 security

More about FireEyeMicrosoftNATO

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts