A new zero-day flaw that affects all versions of Microsoft Word has been revealed and researchers said that the bug can be used to secretly install malware, even on fully patched machines.
As you may very well know, zero-day vulnerabilities are previously unknown software exploits that are already being used by hackers even before the software makers are made aware of them. As such, attackers are said to be already exploiting this new Microsoft Word vulnerability.
The flaw is yet to be patched but Microsoft said that a fix will be issued in this month’s set of updates and patches, regularly scheduled for “Patch Tuesday” (the second Tuesday of each month is unofficially called Patch or Update Tuesday).
Poisoned Word Documents
Researchers at McAfee said that, unlike common Word document attacks, this flaw doesn’t rely on macros to execute. It is triggered when a victim opens a poisoned Word document that downloads a fake Rich Text document from a server. This document is actually a malicious HTML application in disguise. This application then downloads and runs a script that’s used to install additional malware in the background.
The cause of the zero-day bug is related to Microsoft Office’s Windows Object Linking and Embedding (OLE) feature that allows Word to link and embed content into other documents.
McAfee warned that the vulnerability can be exploited in all Microsoft Office versions, including the latest Office 2016 running on Windows 10.
In the meantime, as we wait for the fix in this month’s Patch Tuesday Windows updates (set for tomorrow), McAfee suggests that Office users take these following actions to protect themselves:
- Do not open any Office files obtained from untrusted locations.
- Enable Office Protected View since this attack cannot bypass it.
To open a document in Protected View, take these steps:
- Click File >> Open.
- On the Open dialog box, click the arrow next to the Open button.
- From the list, click Open in Protected View.
Click here to read McAfee’s official blog post about this Word zero-day attack.