The vulnerability was discovered by security research firm FireEye. A team of researchers found malicious Microsoft Office files which download and install malware from various web servers when the document is opened. Several well-known kinds of malware are involved in the attack.
The exploit begins when the target machine is emailed one of the infiltrated Word files. If the user opens the file, a Visual Basic script is run. Visual Basic is Microsoft’s programming language used to create advanced macros in Office programs.
The script downloads a malicious .hta file disguised as an innocuous RTF (rich text file). This is then executed by the Microsoft HTA program. The contents of the file start off downloads of other malware, close the active Word instance to hide warning messages to the user and then open a fake document to display.
This form of attack vector has not previously been observed in the wild. Microsoft Office attacks are increasing in popularity and sophistication, a trend borne out by the latest discovery. The user doesn’t need to have macros enabled for any of the malicious scripts to be executed, allowing the exploit to be successful against any Word user.
While it cannot be wholly relied upon, Office’s Protected View does seem to prevent the attack from going ahead. Protected View is normally used by default when opening a file delivered in an email or downloaded from the web, disabling everything but the essentials of its content to maximise security. Until the update is installed, users would be well advised not to leave Protected View if emailed a suspicious-looking document.
FireEye has already contacted Microsoft with its findings. It agreed not to disclose details of the vulnerability until the company could develop an update. It ended up publishing its post a few days early after fellow cybersecurity firm McAfee separately announced it had found the same attack in use in the wild. According to McAfee, hackers first started using the technique back in January.
FireEye said it is aware of “several” document files that include code capable of exploiting the vulnerability. Although exploit attempts will be detected by FireEye security products, other antivirus software may not be triggered. With the files capable of bypassing “most mitigations,” users should install the update as soon as it becomes available.
Microsoft will be issuing a patch for the flaw as part of its Patch Tuesday Windows security updates tomorrow. It will be delivered automatically to Windows machines with Office installed in accordance with the user’s Windows Update settings. It isn’t clear how many people have been targeted by the attack or whether similar flaws are present in other Office programs.
