A new zeroday attack is exploiting a flaw in Microsoft Word and infects fully patched devices with malware.
This method of infection was announced by FireEye, a security firm that published a blog post about it this Saturday. Apparently, the attack starts with an email that arrives with an infected Word document attached. After its opening, an exploit code from the inside of the document connects to the server controlled by an attacker. Next, a malicious HTML app is downloaded, but it’s still being disguised, and it looks like a Microsoft’s Rich Text Format. Under the surface, the malware works on downloading other malware and spreads the infection even further.
This is not a new kind of attack, but this method is different and important for several reasons. First, it can bypass almost all of the exploit mitigations, and this is something that’s especially alarming, since it allows it to work against pretty much any system, including Windows 10, which is Microsoft’s most secure system so far. Next, this attack is different than the previous ones that tried to exploit Word flaws, and it doesn’t need for their targets to enable macros. Also, before the attack ends, a new Word document is opened. This is done in order to hide the fact that the attack just took place.
The attacks were first reported by a security firm McAfee around Friday night, and they described it in the blog post.
FireEye has stated that they’ve been discussing the flaw with Microsoft for several weeks and that they haven’t published anything before so that Microsoft would have time to work on a patch. Still, after McAfee released the details about the flaw, FireEye decided to publish their own blog post.
The earliest attack that the researchers of McAfee had managed to discover was back in January, and the security update is supposed to be released this Tuesday.
So far, zeroday attacks have mostly been used against individuals that have been known to work for a government agency, contractor or similar organization that can be attractive to cyber criminals. However, after the vulnerability has become public knowledge, this sort of attacks are known to start targeting larger masses.
The only advice that can be given in this type of situation is to be extra careful about documents that arrive by email, even if the sender is known to you. There’s also an Office feature called Protected View, and the attacks were unable to work when the document was opened by using this method. Other ways of opening potentially infected documents have not been confirmed as safe.
