McAfee and FireEye Warn of Sneaky Windows 10 Zero-Day Cyber Attack Using Word Documents

Windows 10 systems susceptible to this zero-day vulnerability yet unpatched

Security researchers at McAfee and FireEye have warned of a zero-day vulnerability in Microsoft Office applications – even on Windows 10 – that can be used to mount an attack on users with a simple MS Word document. The vulnerability has yet to be patched, but is said to be present on all current versions of MS Office – even on PCs that have all their security updates in place.

The attack starts as an innocent-looking Word document that comes attached to an email, but is booby-trapped with an OLE2link object. Once the document is opened, the payload executes and connects to a remote server controlled by the bad actor. From there, it will download an HTML application file, but that file itself is disguised as a rich text file (RTF.)

The HTA file is then automatically executed, giving the hackers full code execution privileges on the affected device. It will then proceed to download even more malicious payloads across various “well-known malware families”, subsequently closing the original Word file that was weaponized for the attack.

The vulnerability has been spotted even on Windows 10 PCs as Windows 10 Creators Update rolls out to users worldwide. The security researchers who discovered this vulnerability say that it is different from other Word exploits seen in the past because it does not require the user to enable Macros. That’s the reason it works even on Windows 10, they say.

In a blog post published last week, McAfee researchers said this:

“The successful exploit closes the bait Word document and pops up a fake one to show the victim. “In the background, the malware has already been stealthily installed on the victim’s system.”

“The root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office.”

And that’s the reason this vulnerability is more dangerous that many others, because the victim won’t even know that the payload is being installed on their system.

Microsoft was reportedly made aware of this vulnerability back in January 2017, after security researchers from McAfee and FireEye found active hacks using this un-patched flaw. Today is Microsoft’s Patch Tuesday for April, which means a patch could come in a cumulative update that should roll out today alongside the massive Windows 10 Creators Update rollout.

Hacker News offers some valuable tips to users of all Windows systems including Windows 10 until the patch is made available:

  • Do not open or download any suspicious Word files that arrive in an e-mail, even if you know the sender until Microsoft releases a patch.
  • Since the attack does not work when a malicious document is viewed in Office Protected View feature, users are advised to enable this feature to view any Office documents.
  • Always keep your system and antivirus up-to-date.
  • Regularly backup your files in an external hard-drive.
  • Disabling Macros does not offer any protection, but yet users are advised to do so in an attempt to protect themselves against other attacks.
  • Always beware of phishing emails, spams, and clicking the malicious attachment.

Thanks for reading our work! If you enjoyed it or found value, please share it using the social media share buttons on this page. If you have something to tell us, there’s a comments section right below, or you can us.