Microsoft Office users beware, a new critical zero-day attack can install malware on fully patched systems. That’s right, this new Office vulnerability is being taken seriously and Microsoft is working to get the hole buttoned up quickly. The company is pretty straight up on this one, recommending you simply refrain from sending or opening any Word documents period. We were tipped off by a reader who works in the IT security side and he sent us this message from Microsoft Security VP Ryan Barrett.
Microsoft Office has a feature called “Protected View” that is enabled by default; however, you should double check your settings to make sure that this feature is turned on. If you do open a Word document and see the Protected View popup, it’s a pretty good indicator that something is wrong.
In addition to being highly suspicious of any Word document that arrives in an email, there are a few other things we’d recommend that you consider:
- Warn your users, and let them know of the heightened risk related to this attack right now, so they’ll be better prepared if they receive an email with one of these attachments.
- Consider sharing documents through SecuriSync® instead, which can mitigate the risk.
- Within your email filtering solution, such as Intermedia Email Protection, consider temporarily putting a policy in place to block Word documents until Microsoft releases the patch.
- If you are managing your systems with Active Directory®, consider:
- Temporarily enabling the Group Policy Object (GPO) that disallows editing of flagged files. This means users will just have a read-only protected view for any documents that Microsoft recognizes as unsafe.
- Within Trust Center, enabling the GPO that uses File Block to block .rtf files, not even allowing for them to be opened in “Protected View”.
There is currently no patch for this bug, however, Microsoft is expected to release a fix within its next round of security updates tomorrow. Be on the lookout for communications from Microsoft around this matter.
The Microsoft Office exploit was first discovered by McAfee.
The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file. Because .hta is executable, the attacker gains full code execution on the victim’s machine. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft.