Microsoft Fixes Critical Word Zero-Day Vulnerability With Tuesday Patch

Posted April 13, 2017

Researchers who spotted the security flaw said attackers were able to exploit the vulnerability by sending a massive spam campaign use emails created to look like they came from Microsoft.

Researchers have disclosed a previously unknown vulnerability in Microsoft Word that criminals have been exploiting in the wild.

The exploit links to a remote server regulated by the attackers, who then download a file that holds HTML content, and performs it as a.hta file.

Security issues with Word documents are nothing new, but they have a tendency to rely on macros - something which users have learned to become very wary of.

In a report by ArsTechnica it has been stated that, "the vulnerability is notable because it bypasses exploit mitigations built into Windows, doesn't require targets to enable macros, and works even against Windows 10, which is widely considered Microsoft's most secure operating system ever". Li said that the root cause of the zero-day vulnerability is related to Windows Object Linking and Embedding (OLE).

McAfee said it identified the attacks on Thursday and chose to release its advisory immediately, which appeared late on Friday.

5 children injured after bounce house flies away
An unexpected wind gust, out of our control, lifted an inflatable amusement that was on our campus for the event. The bounce house reportedly struck a power line, but did not catch on fire.

Microsoft has issued a patch for this vulnerability, the details of which were reported by iTWire on Sunday. Until Microsoft releases its patch, the only way to avoid being infected by the bug is to avoid email attachments from Microsoft Word.

In the meantime, users should be wary of documents received from untrusted sources and should enable the Office Protected View mode because it can block this attack.

Microsoft has been quick off the mark to release a patch for the vulnerability, which also affected Office 2016. However, Microsoft is aware of the vulnerability and we can expect a patch in the near future. The Microsoft HTA application loads and executes the malicious script. "New, exploitable vulnerabilities are often not readily available but, in this case, attackers obviously jumped at an opportunity to launch a large campaign".

In a blog post (via) over the weekend, McAfee revealed RTF files with Microsoft Word's.doc extension name have been used to gain unauthuorised access to machines as far back as January 2017.

So, if you receive a shady email message asking you to download the document and open it immediately. Also, the attack can not bypass the Protected View in Word, so McAfee suggested enabling this view mode when opening documents just to be sure.