Attacks Detected with New Microsoft Office Zero-Day

Cyber-security firms McAfee and FireEye have both disclosed in-the-wild attacks with a new Microsoft Office zero-day that allows attackers to silently execute code on targeted machines and secretly install malware.

Microsoft is aware of the zero-day, but it's highly unlikely it will be able to deliver a patch until its next Patch Tuesday, which is scheduled in three days.

McAfee researchers, who disclosed the zero-day's presence, say they've detected attacks leveraging this unpatched vulnerability going back to January this year.

Office Protected View stops the attacks

Attacks with this zero-day follow a simple scenario, and start with an adversary emailing a victim a Microsoft Word document. The Word document contains a booby-trapped OLE2link object.

If the victim uses Office Protected View when opening files, the exploit is disabled and won't execute. If the user has disabled Protected View, the exploit executes automatically, making an HTTP request to the attacker's server, from where it downloads an HTA (HTML application) file, disguised as an RTF.

The HTA file is executed automatically, launching exploit code to take over the user's machine, closing the weaponized Word file, and displaying a decoy document instead.

According to FireEye, "the original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link."

While the attack uses Word documents, OLE2link objects can also be embedded in other Office suite applications, such as Excel and PowerPoint.

Zero-day affects all Windows and Office versions

McAfee experts say the vulnerability affects all current Office versions on all Windows operating systems.

The attack routine does not rely on enabling macros, so if you don't see a warning for macro-laced documents, that doesn't mean the document is safe.

Neither McAfee or FireEye have provided details about the malware installed via this zero-day, but zero-days are usually found in the arsenal of state-backed attackers. On Twitter, security researcher Ryan Hanson claimed he actually discovered the zero-day in July, and submitted a bug report as part of Microsoft's bug bounty program in October.