Microsoft is sounding the alarm on a serious new security flaw that could let a hacker take over your computer with very little effort. And it works on any version of Windows.
Don't panic just yet though. I'm going to tell you how it works and how you can stay safe.
How it works
To exploit the flaw, a hacker creates a Microsoft Office file with a malicious OLE object. OLE stands for "Object Linking and Embedding" and it lets you bring spreadsheets from Excel or text from Word into another document, like a PowerPoint presentation.
Why would you want to do this? If you're linking the content instead of copying it, you can make changes to the original file and the changes will show up in the other document automatically. That's great if you need to keep updating the numbers on a project in Excel and don't want to recopying the information to Word or PowerPoint every time.
But now we know that if you open an Office file with a malicious OLE, a hacker can take over your system. Microsoft isn't saying exactly how until the problem is patched. Fortunately, we don't need to know exactly how the hack works to protect against it.
How to stay safe
Thankfully, the OLE hack does have some weaknesses.
1. The OLE hack only works correctly in Microsoft Office. If you're using the free LibreOffice or another alternative office suite, then OLE objects are probably going to break and won't run the malicious code correctly. Still, if you want to stick with Microsoft Office, read on.
2. When you open the malicious Office file in Windows Vista or newer, Windows' user account controls will ask you for permission to install or run a program. That's a warning sign that something isn't right with the file.
If you ever open anything other than a program's installer file - like an image file, document or Web page - and Windows asks for permission to install something, always click "No" or "Don't allow."
3. Hackers can also make malicious websites based on this technique that attack your computer if you visit. To get you to the site, however, they'll have to use a phishing email or link on social media.
As always, be very careful what links you click in email and online. Click here to see an example of a fake email that a hacker might use to trick you, and how to tell it's a fake.
Of course, when you visit the site, Windows will ask for permission to install a program. As I said in point number 2, that's a huge warning sign and you should click "No," or "Don't Allow."
4. Even if the OLE hack works, the hacker will only have as much control over your computer as you do. So, if you use an Administrator user account, the hacker can do anything they want.
If you use a Standard user account, however, the hacker will still need the administrator password to install malicious files or change major settings. That's a serious setback for them.
Even without this attack, I advise everyone to use a Standard account as their main account. Just doing that can really cut down your risk from hackers and other threats. Click here to learn more about Administrator vs. Standard accounts and how to set up the one that's best for you.