MS Office zero-day exploited in attacks – no enabling of macros required

The Vulnerability
The flaw is exploited through a specially crafted Microsoft Word RTF (Rich Text Format) file, which contains an embedded OLE2link object. The object instructs Word to send a HTTP request to a remote server controlled by the attackers, to retrieve from it a malicious .hta file masquerading as a RTF file.

A .hta file is an executable, and in this case it loads and executes a malicious script that closes Word (i.e. the winword.exe process), downloads additional payloads, and starts Word again and shows a decoy document.

“Because .hta is executable, the attacker gains full code execution on the victim’s machine. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft,” the researchers explained.

Precautionary action:- (source:
We strongly suggest Office users take the following actions to protect or mitigate against this zero-day attack before Microsoft issues an official patch. We notified the Microsoft Security Response Center as soon as we found the suspicious samples, and we will continue to work with them to protect Office users.
Do not open any Office files obtained from untrusted locations.
According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.

ARTICLE UPDATE (April 11, 2017): The exploit has been spotted being used to infect users with the Dridex banking malware. Microsoft has said it will released a patch for the flaw later today, as part of its regular monthly Patch Tuesday.

Read More: