Careful opening Word docs: attackers exploit un-patched Office flaw

Microsoft on Tuesday will patch a previously unknown or zero-day attack that is being used in the wild to target Office users with rigged Word documents.

In the meantime, security firm McAfee is warning users not to open Office from untrusted locations after discovering several Word files in the wild that are laced with an exploit for a remote code execution bug in Office.

McAfee researcher Haifei Li said the attack works against Office 2016 on Windows 10 and earlier. The first observed attack was in late January, noted Li.

Recipients of the attack document see a Word file in Microsoft’s Rich Text Format (RTF), however if they open the file the exploit will connect to a remote server and fetch an executable .hta file containing HTLM application content. As Li notes, the .hta executable contains malicious script written in Microsoft’s Visual Basic.

“The successful exploit closes the bait Word document, and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim’s system,” said Li.

He explains that the vulnerability lies in the Windows Object Linking and Embedding (OLE) feature of Office. OLE, which allows an application to embed other documents or objects, was used in 2014 by an advanced persistent threat group known as Sandworm to target government organizations and infrastructure providers in Europe and NATO.

McAfeefound that Microsoft’s Office Protect View sandbox will prevent the attack from working.

“We suggest everyone ensure that Office Protected View is enabled,” said Li.

Li said it had informed Microsoft Security Response Center of the attacks and vulnerability.

McAfee's researchers however weren't the first to report the issue to Microsoft.

In fact, Redmond has known about this issue for several months and will be patching the OLE vulnerability on Tuesday with its usual monthly security update, according to independent security researcher Ryan Hanson.

Rival security firm FireEye on Saturday appeared to take credit for finding the bug in a blog post titled "Acknowledgement of Attacks Leveraging Microsoft Zero Day", in which it said it had worked with Microsoft for "several weeks" but disclosed the issue due to McAfee's blog.

Hanson however says he reported this same bug to Microsoft in October.

"This will be patched on Tuesday, I know this because I disclosed this in October," he wrote.

He's also outlined two methods admins can mitigate this attack. Besides enforcing Protected View, the attack can be blocked by setting "Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles to 2".