MS Office zero-day exploited in attacks – no enabling of macros required!

A new zero-day flaw affecting all versions of Microsoft Office is being exploited in attacks in the wild, and no user is safe – not even those who use a fully patched Windows 10 machine.

Even worse: targets do not have to anything except run a malicious file in order to get compromised, as the exploit doesn’t require them to enable macros or do anything else.

MS Office zero-day

The vulnerability

The existence of the flaw was revealed by McAfee researchers on Friday, and confirmed by FireEye researchers on Saturday. The latter shared details about it with Microsoft weeks ago, and were waiting to publicly reveal the flaw once Microsoft pushed out a patch. The patch is still to be released.

“The root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office,” McAfee researchers noted.

The flaw is exploited through a specially crafted Microsoft Word RTF (Rich Text Format) file, which contains an embedded OLE2link object. The object instructs Word to send a HTTP request to a remote server controlled by the attackers, to retrieve from it a malicious .hta file masquerading as a RTF file.

A .hta file is an executable, and in this case it loads and executes a malicious script that closes Word (i.e. the winword.exe process), downloads additional payloads, and starts Word again and shows a decoy document.

“Because .hta is executable, the attacker gains full code execution on the victim’s machine. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft,” the researchers explained.

The attack

Who is leveraging this zero-day is unknown. According to FireEye researchers, the exploit “downloads and executes malware payloads from different well-known malware families.”

The booby-trapped Word documents are being delivered to victims as attachments in emails, but none of the researchers mentioned anything specific about them. McAfee says that the attacks have been going on since late January.

Hopefully, Microsoft will push out a patch this Tuesday. In the meantime, users can protect themselves by not opening any Office file that they aren’t positively sure they are coming from a trusted location or entity, and by enabling Office Protected View. Apparently, the exploit can’t bypass the protection offered by that feature.

UPDATE (April 11, 2017): The exploit has been spotted being used to infect users with the Dridex banking malware. Microsoft has said it will released a patch for the flaw later today, as part of its regular monthly Patch Tuesday.