Microsoft Word Unpatched Zero-Day Vulnerability Being Exploited In Wild

Hahahaha ! You have been hacked, by just opening a simple MS Word document can make your system compromised.

The Microsoft Office zero-day vulnerability, discovered by the researchers from security firm McAfee and FireEye. This vulnerability allows a malicious attacker to execute a Visual Basic Script when the user opens Word file containing a malicious embedded code.

Attack Explained:

The Microsoft Word document contains an embedded OLE2link object and when the user opens the document, winword.exe issues an HTTP request to a remote server to retrieve malicious .hta file, which appears as a fake RTF(Rich Text Format)file.

Microsoft Word Unpatched Zero-Day Vulnerability Being Exploited In Wild

The Microsoft HTA(HTML application file) application loads and executes the malicious code, after the execution, the malicious code terminated the winword.exe process, downloads additional payloads and load a fake document for the user to see.

The original winword.exe process is terminated in order to evade a user prompt generated by the OLE2link. After the payloads are downloaded and executed an attacker have the full access to the compromised system remotely.

The vulnerability is working on the fully-patched computer by exploiting serious- and yet it is unpatched- zero day vulnerability in all the versions of Microsoft office including latest Microsoft Office 2016.

According to the researchers, this zero-day attack can bypass most exploit mitigations developed by Microsoft. This newly uncovered vulnerability work on all Window operating systems even Window 10 can be compromised.

Microsoft is aware of the zero-day vulnerability as the researcher have already disclosed the flaw back in January this year. According to reports the next security patch by Microsoft on Tuesday will bring an end to the zero-day flaw.

According to McAfee in a blog post,”The successful exploit closes the bait Word document and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim’s system”.

“The root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office”.

How To Protect Yourself:

  • Don’t open or download any suspicious word file attached in the email, especially from the unknown senders.
  • The attack seems to be non-working when viewed in Office Protected View, users are advised to enable this feature.
  • Keep your anti-virus and security patch up-to-date.
  • Always beware of phishing emails, spams, and clicking the malicious attachment.

LEAVE A REPLY

Please enter your comment!
Please enter your name here