Zero-Day Attack Targets Microsoft OfficeEmploy Emergency Workaround Until Fix Arrives, Security Experts Warn
A zero-day vulnerability in Microsoft Office is being actively exploited by in-the-wild attacks, multiple security companies warn. Microsoft plans to issue a related fix on April 11.
See Also: Splunk Predictions 2020
McAfee was the first security firm to publicize the issue, followed by FireEye.
Rather than this being a pure software vulnerability, McAfee characterizes the flaw as a "logical" bug that allows a malicious Word document to skirt around security protections built into Windows.
These types of exploits can be especially effective when used in combination with so-called spear-phishing attempts. Spear phishing involves carefully crafting emails with malicious attachments that appear to be legitimate in order to trick a victim into running the exploit code and inadvertently infecting their own computer.
Microsoft has been prepping a fix for this zero-day flaw.
"We plan to address this through an update on Tuesday, April 11, and customers who have updates enabled will be protected automatically," a spokesman tells Information Security Media Group. "Meanwhile, we encourage customers to practice safe computing habits online, including exercising caution before opening unknown files and not downloading content from untrusted sources to avoid this type of issue."
McAfee picked up on the attacks April 6, saying it immediately alerted Microsoft to the flaw, and notes that the campaign appears to have begun in late January. The related exploit is effective against all versions of Microsoft Office on Windows, writes Haifei Li, a senior vulnerability researcher with McAfee, in a blog post.
Related attacks begin with a malicious Word document. The document contains an OLE2link, which is short for object linking and embedding, a feature that allows external content to be loaded into a document.
If the document is opened, Word issues an HTTP request that retrieves a malicious .hta file, which is a HTML application, writes Genwei Jiang, a senior research engineer with FireEye.
A malicious Visual Basic script is then loaded. It closes the rigged document and then shows a bogus one. Meanwhile, the script downloads other payloads. Although the OLE2link displays a user prompt, the winword.exe process terminates it so the user doesn't see it.
The attack neatly routes around some of Microsoft's security protections, although FireEye says its systems can detect the malicious documents.
"Because .hta is executable, the attacker gains full code execution on the victim's machine," writes Li of McAfee. "Thus, this is a logical bug and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft."
Jumping the Gun?
McAfee may have jumped the gun on disclosure. But it's not unheard of for bugs to be disclosed before there's a patch, if the entity that found the flaw thinks that active attacks, utilizing the flaw, are already putting users at great risk.
Confirmation of extensive, related attacks arrived April 10 via a blog post from security firm Proofpoint, which said that the notorious Dridex botnet has been targeting the vulnerability via millions of spam emails that primarily target Australia.
FireEye says it has known of the problem and has been working with Microsoft for several weeks. After seeing McAfee's post, FireEye followed up with a blog of its own. "After recent public disclosure by another company, this blog serves to acknowledge FireEye's awareness and coverage of these attacks," Jiang writes.
But the flaw appears to have been first reported to Microsoft in October 2016 by Ryan Hanson, a security consultant at Optiv, an IT service management firm based in Denver, in October. He warns that the underlying flaw may not exist only in Microsoft Office.
@jessysaurusrex patch is coming tomorrow. I know this because I disclosed it in October. I've also shared a temporary fix for it as well— Ryan Hanson (@ryHanson) April 10, 2017
Until Microsoft issues a fix, there is a workaround, McAfee says. Microsoft's Protected View will at least flash a prompt, warning users if potentially suspicious files are being downloaded from the internet. System administrators can configure Protected View so users can't disable it, which is a good idea.
Alternately, users might avoid opening any Word attachments in Windows, instead viewing them via Google Drive or on an iPhone or iPad.
Executive Editor Mathew Schwartz also contributed to this story.