Careful opening Word docs: attackers exploit un-patched Office flaw

Adjust Comment Print

The security firm McAfee first reported the vulnerability attack on unsuspecting Word users on Friday evening.

Booby-trapped documents exploiting a critical zero-day vulnerability in Microsoft Word have been sent to millions of people around the world in a blitz aimed at installing Dridex, now one of the most risky bank fraud threats on the Internet.

When a user opens the document - specifically, an RTF file with a.doc extension - an OLE2link object embedded in the file causes Word to connect to an attacker-controlled online address and download and execute an HTML application file, researchers said. This results in the download of a malicious.hta file (HTML Application executable) on the victim's machine.

More news: Twitter Wins Free Speech Battle After DHS Backs Down

Proofpoint recently provided an analysis of the attacks, saying that it has seen emails use an attached Microsoft Word rich text format document.

McAfee says the exploit, which affects all versions of Office is yet to be patched, although Microsoft is reportedly working on a fix.

Several research groups say the bug was being exploited as early as January to remotely install a spy program for carrying out espionage created by FinSpy, associated with Germany and UK-based "lawful intercept" firm, Gamma Group, which sells nearly exclusively to nation state hackers. It agreed not to disclose details of the vulnerability until the company could develop an update.

More news: Dulux parent AkzoNobel rejects call for removal of chairman

In the meantime, users should be wary of documents received from untrusted sources and should enable the Office Protected View mode because it can block this attack. This exploit has proven successful, even though targets are shown a dialog box noting that the document containing the malware contains "links that may refer to other files". The infected documents are spread via email. "New, exploitable vulnerabilities are often not readily available but, in this case, attackers obviously jumped at an opportunity to launch a large campaign that relied on this new exploit".

"According to our tests, this active attack can not bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled".

This tactic allows the attack to appear as a logical flaw, enabling it to slip past Microsoft's memory-based mitigation technologies, the post explained.

More news: Taiwan becomes first Asian nation to outlaw eating cats and dogs

Microsoft released its monthly security-patch bundle Tuesday, fixing 45 unique vulnerabilities, three of which are publicly known and targeted by hackers.