Security researchers at two companies have revealed a flaw in Microsoft Word that could allow hackers to gain full access to a victim’s machine.
A previously undisclosed vulnerability in Microsoft Office RTF documents enables a hacker to execute a Visual Basic script when the user opens a malicious document sent to them containing an embedded exploit, according to FireEye and McAfee.
Researchers found several malicious Office documents exploiting the vulnerability, which downloads and executes malware payloads from different well-known malware families.
The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file, according to a blog post by McAfee. Because .hta is executable, the attacker gains full code execution on the victim’s machine.
“Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft,” said Haifei Li, senior vulnerability researcher at McAfee.
He added that the successful exploit closes the bait Word document, and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim’s system. Li said that the root cause of the zero-day vulnerability is related to Windows Object Linking and Embedding (OLE).
Genwei Jiang, senior research engineer at FireEye, said that Microsoft Office users are recommended to apply a patch as soon as one is available. He added that FireEye has updated its email and network products to detect the attack.
In tests carried out by McAfee, Li said the attack cannot bypass the Office Protected View. He suggested that users enable Office Protected View.
Microsoft’s Patch Tuesday release of fixes is due tomorrow. There is no word on whether this bug will be fixed in that set of updates.