New MS Word Zero-Day Exploit Uses OLE to Bypass Security

Microsoft Word has been the target of malware for almost as long as it’s been around. Usually, it tries to take advantage of the built-in macro function, but not this time. Macro-files aren’t as effective as they used to be as a lot of apps run in sandboxes these days or the general system security will catch it. This new version that has appeared goes a different way.

The exploit is said to be working on pretty much any version of Word running on any Windows version, even on Windows 10 that has the best protection according to security experts.

The attack starts with an e-mail that attaches a malicious Word document, according to a blog post published Saturday by researchers from security firm FireEye. Once opened, the exploit code concealed inside the document connects to an attacker-controlled server. It downloads a malicious HTML application file that’s disguised to look like a document created in Microsoft’s Rich Text Format. Behind the scenes, the .hta file downloads additional payloads from “different well-known malware families.” Last, before terminating, the exploit opens a decoy Word document in an attempt to hide any sign of the attack that just happened. By using this method, it bypasses most exploit mitigations.

The root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office.

FireEye has already been communicating with Microsoft for weeks about the issue, but they had agreed not to publish any details until a patch was in place. But, McAfee disclosed vulnerability details and said that it was aware of attacks dating back to January, so they came forward with their information too.

The attacks observed by McAfee are unable to work when a booby-trapped document is viewed in an Office feature known as Protected View, but you should stay vigilant and be suspicious of any word document you receive in your email inbox.