Microsoft Office users are under attack from a zero-day vulnerability. Researchers at Proofpoint sounded the alarm about a critical 0-day threat known as CVE-2017-0199 in Microsoft Word that allowed phishing attacks be sent to millions of users claiming to be a PDF sent to them by their company photocopier. Security firm McAfee first publicly posted about the new zero-day vulnerability in Microsoft Word files on April 7, with security firm FireEye following with its own disclosure a day later on April 8.
This one is particularly bad because it bypasses exploit mitigations built into Windows, doesn’t require users to enable macros. The issue, as described by McAfee and FireEye is found in Microsoft Office’s Word application, specifically linked to Rich Text Format (RTF) documents. The vulnerability is present in all versions of Microsoft Office, including the latest Office 2016 edition running on the Windows 10 operating system. The actual vulnerability is a flaw in the Windows Object Linking and Embedding (OLE) component that enables content to be linked inside of documents.
“The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file,” McAfee explained in its disclosure. McAfee added that due to the fact that the .hta file is executable, an attacker is able to gain full code execution on the victim’s machine.
For it’s part, FireEye reported that it has seen the vulnerability used in attacks, deploying various malicious payloads from different well-known malware families. FireEye specifically noted that an embedded OLE2link object is used in the attack, triggering the malicious .hta file, which then executes the malicious payload. FireEye explains in its disclosure that the malicious script ends up terminating the winword.exe (Word application) process, in turn loading a decoy document.
“The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link,” FireEye warns.
Emails in this type of attack used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from [device] may be “copier”, “documents”, “noreply”, “no-reply”, or “scanner”. The subject line in all cases read “Scan Data” and included attachments named “Scan_123456.doc” or “Scan_123456.pdf”, where “123456” was replaced with random digits. Note that while this type of attack does not rely on sophisticated social engineering, the spoofed email domains and common practice of emailing digitized versions of documents make the lures fairly convincing.
1) Patch. Microsoft released its regular batch of security patches – including a fix for this Office zero-day vulnerability CVE-2017-0199. Turns out that this wasn’t the only thing needed patching. An elevation of privilege vulnerability in Internet Explorer (CVE-2017-0210) that would allow an attacker to convince a user to visit a compromised website was also fixed.
2) If you cannot patch for some reason. Here is a quick fix to prevent this exploit from working by adding the following to your Windows registry: Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles to 2 and OpenInProtectedView to 0.