Security experts are warning of a critical zero-day threat that has been targeting Microsoft Word users since late January.
The attack allows hackers to remotely execute code on a targeted computer by tricking the user into opening a Word doc containing an embedded exploit.
The Windows Object Linking and Embedding (OLE) is primarily targeted with this exploit, which works on all versions of Office up to Office 2016 running on Windows 10.
FireEye, which has been working with Microsoft on the issue “for several weeks”, explained that a hacker would first email a Word document booby-trapped with a malicious embedded OLE2link object.
It continued:
“When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.”
Thus, the threat could be used to silently deliver multiple types of malware, and because it’s a logical bug, can bypass any memory-based mitigations, according to McAfee.
The Intel spin-off urged users not to open any Office files if they don’t trust the sender/location, and advised them to switch on Office Protected View, which the attack apparently cannot bypass.
It is believed that Microsoft will address the threat in its April Patch Tuesday security update round.
That is, unless there are any last-minute problems. In February, the Redmond security team was forced to cancel Patch Tuesday at the eleventh hour due to an unspecified issue.