Security software company McAfee has discovered a new zero-day vulnerability that affects all versions of Microsoft Word. According to the company, the new zero-day exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. For those unaware, a zero-day vulnerability or zero-day attack is a threat that can take advantage of a previously unknown susceptibility in an app or Web service that has not been addressed or patched by developers.
McAfee in its research report detailed it discovered the exploit in action in late January. The samples collected by the team saw the exploit organised as Word files (more specially, RTF files with “.doc” extension name).
“The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file. Because .hta is executable, the attacker gains full code execution on the victim’s machine. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigation developed by Microsoft,” explains the McAfee team. The .hta content is said to be disguised as a normal RTF file to evade security products.
“The successful exploit closes the bait Word document, and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim’s system,” adds the team.
McAfee team has suggested some mitigation against the new zero-day attack before Microsoft issues an official patch including enabling the Office Protected View as the new exploit cannot bypass the Office Protected View, and do not open any Office files obtained from untrusted locations.
“We notified the Microsoft Security Response Center as soon as we found the suspicious samples, and we will continue to work with them to protect Office users,” the team wrote in a blog post.