Reports about an unpatched vulnerability in Microsoft Office have come from both McAfee and FireEye. The cyber security companies warn that the weakness allows hackers to achieve full code execution on the targeted machines.
The vulnerable element is the Object Linking Embedding (OLE) functionality. Exploiting the faulty code string enables the perpetrators to create malicious RTF (Rich Text Format) files, connected to HTA (HTML Application) files from remote servers. These files are used to load and execute a final Visual Basic script.
McAfee noted that the malicious RTF samples they observed were concealed with a fake .doc file extension. The researchers went on to elaborate how the attack is made possible. “Because .hta is executable, the attacker gains full code execution on the victim’s machine”.
In their reports, McAfee and FireEye highlighted that this logical bug enables insidious coders to bypass memory-based mitigations and other security features, present in Microsoft applications. The rogue documents download and execute malicious payloads, belonging to various malware families.
To avert detection, the scam artists masquerade the dangerous HTA files as regular RTF documents. The pattern of the exploit begins with the penetration process. Upon making its way in, the infected document closes the original Microsoft Office file. Then, it proceeds to open a new file in order to distract the victim. During the commotion, the malicious code gets installed through a background process.
“In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link,” FireEye added.
McAfee stated that the vulnerability was discovered in January. Since then, the company reported observing several cases where attacks were leveraging the faulty code. According to the company’s experts, all versions of Microsoft Office are susceptible to these attacks, including Office 2016 on Windows 10.
FireEye stated that they have also been aware of the vulnerability for awhile. The company said that they had been corresponding with Microsoft regarding the matter. An agreement was made to release information about the vulnerability only after a patch was devised. The next set of security patches is expected to be released later today.
In conclusion, the security experts advised users to avoid opening Microsoft Office files which had been sent from unconfirmed sources, such as dubious emails. The attack code can be blocked from executing by reverting to the Office Protected View. The vulnerability is reportedly unable to bypass this mode.