Microsoft Word zero-day flaw 'used to infect millions'

Hackers are taking advantage of a newly revealed Microsoft Word zero-day to mount a very large campaign infecting the systems of millions of recipients across numerous organisations.

Cyber criminals are exploiting the vulnerability to spread Dridex malware, according to ablog postby IT security firm Proofpoint. Victims are sent an attached Microsoft Word RTF (Rich Text Format) document via email- the malware exploits the way Microsoft handles OLE2Link objects. Researchers said this exploit bypasses most mitigations.

When recipients open the document, the exploit, if successful, is used to carry out a series of actions that lead to the installation of Dridex botnet ID 7500 on the user's system.

The researchers said that in testing, a vulnerable system was fully exploited even though users were presented a dialogue about the document containing "links that may refer to other files" (user interaction was not required).

"The Microsoft OLE2Link object can open application data based on the server-provided MIME type, which can allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system," according to anadvisory by CERT at the Software Engineering Institute at Carnegie Mellon University.

Unusually, users do not have to enable macros for the exploit to work. Documents with macros are normally blocked from working by security features in Office and Windows.

Researchers said that campaign was the first they had observed that uses the newly disclosed Microsoft zero-day. "This represents a significant level of agility and innovation for Dridex actors," said researchers. They added: "This campaign was sent to millions of recipients across numerous organizations primarily in Australia."

ITProasked Microsoft whether it had seen evidence of the mass email campaign. The vendor released its patch for the flaw yesterday, but this would be too late for anyone who had clicked on a malicious email before then.

A Microsoft spokesperson said that the flaw "was addressed in the April security update release on April 11, 2017. Customers who applied the update, or have automatic updates enabled, are already protected."

Sherrod DeGrippo, director of Emerging Threats atProofpoint, told IT Pro that threat actors continue to demonstrate their flexibility and adaptability, rapidly taking advantage of new means of infecting users.

"Although attacks relying on document exploits are increasingly uncommon, they certainly remain in attackers' toolkits. New, exploitable vulnerabilities are often not readily available but, in this case, attackers obviously jumped at an opportunity to launch a large campaign that relied on this new exploit," he said.

11/04/2017:Microsoft releases update to patch Word bug

Microsoft has announced a patch for a flaw in Microsoft Word thatallowed hackers to gain access to a victim's machine.

Microsoft will fix the bug, which surfaced last weekend, as part of today's Patch Tuesday.

A Microsoft spokesmansaid: "We plan to address this through an update on Tuesday April 11, and customers who have updates enabled will be protected automatically."

The spokesman added: "Meanwhile we encourage customers to practise safe computing habits online, including exercising caution before opening unknown files and not downloading content from untrusted sources to avoid this type of issue."

Security researchers at FireEye and McAfee discovered the zero-day bug, finding that it enabled hackers to execute a Visual Basic script when the user opens a malicious document sent to them containing an embedded exploit.

Finding various malicious Office documents which exploited the vulnerability, the researchers found the exploit downloads and executes malware payloads from various well known malware families.

The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file, McAfee wrote inablog post. As .hta is executable, the attacker can access the victim's machine as they gain full code execution.

10/04/2017:Zero-day bug in Word could allow hackers to take over your PC

Security researchers at two companies have revealed a flaw in Microsoft Word that could allow hackers to gain full access to a victim's machine.

A previously undisclosed vulnerability in Microsoft Office RTF documents enables a hacker to execute a Visual Basic script when the user opens a malicious document sent to them containing an embedded exploit, according toFireEye and McAfee.

Researchers found several malicious Office documents exploiting the vulnerability, which downloads and executes malware payloads from different well-known malware families.

The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file, according to ablog postby McAfee. Because .hta is executable, the attacker gains full code execution on the victim's machine.

"Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft," said Haifei Li, senior vulnerability researcher at McAfee.

He added that the successful exploit closes the bait Word document, and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim's system. Li said that the root cause of the zero-day vulnerability is related to Windows Object Linking and Embedding (OLE).

Genwei Jiang, senior research engineer at FireEye, said that Microsoft Office users are recommended to apply a patch as soon as one is available.He added that FireEye has updated its email and network products to detect the attack.

In tests carried out by McAfee, Li said the attack cannot bypass the OfficeProtected View. He suggested that users enable Office Protected View.

Microsoft's Patch Tuesday release of fixes is due tomorrow. There is no word on whether this bug will be fixed in that set of updates.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.