Booby-trapped Word documents in the wild exploit critical Microsoft 0day

[Karlston]

The exploit appears in a Word doc attached to an email message. When you open the doc, it has an embedded link that retrieves an executable HTML file which looks like an RTF file. Apparently, all of that happens automatically.

 

The downloaded file loads a decoy that looks like a document, so the user thinks they’re looking at a doc. It then stops the Word program to hide a warning that would normally appear because of the link.

 

Very clever. It works on all versions of Windows, including Win10. It works on all versions of Office, including Office 2016.

 

Good overview by Dan Goodin at Ars Technica.

 

Technical analysis by Genwei Jiang at FireEye

FireEye shared the details of the vulnerability with Microsoft and has been coordinating for several weeks public disclosure timed with the release of a patch by Microsoft to address the vulnerability. After recent public disclosure by another company, this blog serves to acknowledge FireEye’s awareness and coverage of these attacks.

Likely cause of the rush to disclose from Haifei Li at McAfee.

 

McAfee’s recommendation:

• Do not open any Office files obtained from untrusted locations.
•  According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.

 

Source: Booby-trapped Word documents in the wild exploit critical Microsoft 0day (AskWoody)

[Karamjit]

Security researchers at FireEye revealed a zero-day vulnerability in Microsoft Word that can be used to deploy malware on unpatched systems with just a malicious RTF document.

The worst thing in this new disclosure is that the security flaw is not yet patched, and although Microsoft has been working with FireEye to develop a fix, the company decided to go public with these details because of the growing number of attacks happening lately and after another vendor disclosed them publicly too.

Specifically, an attacker who wants to take advantage of this security vulnerability needs to trick the victim into opening a malicious RTF document on their computer, and to do this, they send the file via email. Once launched, this document executes a Visual Basic script that connects to a remote server to download additional payloads.

Patch possibly coming tomorrow

A successful exploit can bypass most mitigations, FireEye warns, and this is why it’s critical for users to deploy the patch as soon as Microsoft releases it. FireEye has more information on how an attack works on unpatched Windows computers:

“The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file.

The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.”

Microsoft is expected to provide a fix tomorrow as part of the Patch Tuesday rollout, and users are recommended to avoid opening RTF documents coming from unknown sources. These documents are typically spreading via email, so just mark as spam any suspicious messages to remain protected until a patch lands.

From: http://news.softpedia.com/news/zero-day-flaw-in-microsoft-word-can-be-used-to-hijack-any-windows-system-514726.shtml

[Batu69]

Topic merged.

[banned]

Patched today on Windows XP also, using the embedded trick.

[steven36]

2 hours ago, banned said:

Patched today on Windows XP also, using the embedded trick.

Microsoft Office is were a lot of  Malware coming from on MAC OSX as well. they got updates today too.

https://support.office.com/en-us/article/Update-history-for-Office-2016-for-Mac-700cab62-0d67-4f23-947b-3686cb1a8eb7