New zero-day attack installing malware on PCs via Microsoft Word security flaws

Attackers targeting Microsoft Office use Windows OLE security flaw to compromise PCs

A new zero-day vulnerability in Microsoft Word that can be used to install malware on PCs is being exploited by attackers, and even computers that are fully-patched are at risk.

Security researchers at McAfee were the first to publish information about the vulnerability, stating that the earliest attacks of this kind it has seen dates back to January this year.

Suspicious samples that the security company had detected were organised as Microsoft Word Rich Text Format (RTF) documents.

The malicious documents are spread via phishing emails. Once opened, the exploit connects to a remote server and downloads a file containing a HTML application dressed up as a Microsoft document. It then executes it as a .hta file.

The .hta file enables the attacker to gain full code-execution on the victim's machine - bypassing any memory-based mitigation developed by Microsoft.

"The successful exploit closes the 'bait' Word document, and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim's system," McAfee said.

It added that the root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding (OLE) feature in Office.

Security researchers at FireEye said that they also recently detected malicious Microsoft Office Rich Text Format (RTF) documents that leverage a previously undisclosed vulnerability.

They added that the vulnerability enables attackers to download and execute malware payloads from different well-known malware families.

The security company said that it had contacted Microsoft about the vulnerability for several weeks, but did not publicly disclose any details until McAfee decided to reveal all in its blog post.

Microsoft is likely to release a security update along with its next batch of updates, scheduled for Tuesday this week.

In the meantime, McAfee has warned users not to open Microsoft Office files obtained from untrusted sources. It added that the active attack cannot bypass the Office Protected View, so added that all users ought to turn this feature on.

Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.

Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons.

Attendance is free to qualifying IT professionals and IT leaders - register now!