Security researchers are warning of a new in-the-wild attack that silently installs malware on fully-patched computers by exploiting a serious — and yet unpatched — zero-day vulnerability in all current versions of Microsoft Office.
The Microsoft Office zero-day attack, uncovered by researchers from security firms McAfee and FireEye, starts simply with an email that attaches a malicious Word file containing a booby-trapped OLE2link object.
When opened, the exploit code gets executed and makes a connection to a remote server controlled by the attacker, from where it downloads a malicious HTML application file (HTA) that's disguised as a document created in Microsoft's RTF (Rich Text Format).
The HTA file then gets executed automatically with attackers gaining full code execution on the victim’s machine, downloading additional payloads from "different well-known malware families" to take over the victim's PC, and closing the weaponized Word file.
Zero-Day Attack Works on All Windows OS — Even Windows 10
According to researchers, this zero-day attack is severe as it gives the attackers the power to bypass most exploit mitigations developed by Microsoft, and unlike past Word exploits seen in the wild, it does not require victims to enable Macros.
Due to these capabilities, this newly discovered attack works on all Windows operating systems even against Windows 10, which is believed to be Microsoft's most secure operating system to date.
Besides this, the exploit displays a decoy Word document for the victims to see before terminating in order to hide any sign of the attack.
"The successful exploit closes the bait Word document and pops up a fake one to show the victim," McAfee researchers wrote in a blog post published Friday. "In the background, the malware has already been stealthily installed on the victim's system."Microsoft is aware of the zero-day flaw as the researchers say they responsibly disclosed the issue to the company after detecting active attacks leveraging this unpatched flaw back in January this year.
"The root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office."
FireEye disclosed the details of the vulnerability a day after McAfee went public with the flaw.
The next scheduled Microsoft's release of security updates is this Tuesday, so it's highly unlikely the company will be able to deliver a patch before that day.
How to Protect Yourself against this Attack?
Since the attack works on fully patched systems, users are highly advised to follow the below recommendations to mitigate such attacks:
- Do not open or download any suspicious Word files that arrive in an e-mail, even if you know the sender until Microsoft releases a patch.
- Since the attack does not work when a malicious document is viewed in Office Protected View feature, users are advised to enable this feature to view any Office documents.
- Always keep your system and antivirus up-to-date.
- Regularly backup your files in an external hard-drive.
- Disabling Macros does not offer any protection, but yet users are advised to do so in an attempt to protect themselves against other attacks.
- Always beware of phishing emails, spams, and clicking the malicious attachment.