Office Zero Day a ‘Logical Bug’

Tuesday, April 11, 2017 @ 07:04 AM gHale


A new Zero Day affects all versions of Microsoft Office, researchers said.

The exploit doesn’t require victims to enable macros or do anything else, the researchers said.

RELATED STORIES
Defense from Tainted Mobile Devices
SANS: Know the Security Mission
SANS: ‘Take Cyber Off the Table’
HUG: Threats Hike, but there are Solutions

The flaw ended up released by McAfee researchers on Friday.

FireEye shared details about it with Microsoft weeks ago, and were waiting to publicly reveal the flaw once Microsoft pushed out a patch. The patch is still in development.

“The root cause of the Zero Day vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office,” McAfee researchers said.

The flaw is exploited through a specially crafted Microsoft Word RTF (Rich Text Format) file, which contains an embedded OLE2link object.

The object instructs Word to send a HTTP request to a remote server controlled by the attackers, to retrieve from it a malicious .hta file masquerading as a RTF file.

A .hta file is an executable, and in this case it loads and executes a malicious script that closes Word (i.e. the winword.exe process), downloads additional payloads, and starts Word again and shows a decoy document.

“Because .hta is executable, the attacker gains full code execution on the victim’s machine. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft,” McAfee researchers said.

Who is leveraging this Zero Day remains a mystery. The exploit “downloads and executes malware payloads from different well-known malware families,” FireEye researchers said.

Word documents are being delivered to victims as attachments in emails, but none of the researchers mentioned anything specific about them.

McAfee said the attacks have been going on since late January.

Hopefully, Microsoft will push out a patch this Tuesday. In the meantime, users can protect themselves by not opening any Office file that they aren’t positively sure they are coming from a trusted location or entity.



Leave a Reply

You must be logged in to post a comment.