Security researchers have discovered a new zero-day attack in the wild that can silently install malware on a fully-patched computer through a vulnerability in Microsoft Word.
McAfee and FireEye posted blogs revealing the attack, which, as these things so often do, starts with a malicious email attachment. In this case, it’s a Word document that contains an embedded exploit. Once opened, an HTTP request is sent to a remote, attacker-controlled server to download a malicious HTML application file (HTA), which appears as a fake Rich Text Format document.
The .hta file is executed automatically, allowing the attackers to gain full code execution on the machine, downloading additional payloads from “different well-known malware families.”
The nature of the attack means it can bypass most memory-based mitigations designed by Microsoft. It works on all versions of Windows, even Windows 10, and, unlike most other Word exploits, it doesn’t require Macros to be enabled. It even shows a fake Word document to hide the attack from the victim.
McAffee and FirstEye say the vulnerability is related to the Windows Object Linking and Embedding (OLE) function, which allows embedding and linking to documents and other objects.
FireEye said it has been working with Microsoft on the vulnerability for several weeks and had agreed not to publicly disclose it until a patch was released, but decided to reveal the details after McAfee published its post.
Microsoft said it would issue a fix for the issue tomorrow as part of its monthly security updates. But always remember to take care when it comes to suspicious files attached to emails, even if you know the sender.