Wednesday, September 19Care to be aware

MS Word Zero-Day Attack – Unpatched For Years

MS Office zero-day main1

Researchers at McAfee and FireEye have disclosed another case of email-based hacking methods which can be used to compromise a fully updated and patched Windows operating system, even Windows 10.

 The attack vector lies in the form of an unpatched zero-day bug present in all the running versions of Microsoft Office. The root cause lies in an important Office feature known as Object Linking and Embedding (OLE). It allows applications to embed and link to documents and objects.

According to the researchers, a victim opening a suspicious Word file – embedded with an OLE2link object – in an email would trigger winword.exe to initiate an HTTP request to the attacker’s remote server. This results in the download of a malicious .hta file (HTML Application executable) on the victim’s machine. To the user, the HTA file appears as a Microsoft Rich text document with a .doc extension. It also conceals the file from anti-virus software on the machine.

Microsoft Office zero day1Image: A part of the communication captured by the McAfee researchers


The HTA file runs malicious scripts to terminate winword.exe, which is done to hide the “user prompts generated by the OLE2link.” The exploit shows some bait Word document to the user while it’s busy downloading extra payload in the background.

The zero-day attack disclosed by the researchers affects all the versions of Microsoft Windows and MS Office. However, Microsoft is aware of the vulnerability and we can expect a patch in the near future.

Meanwhile, you can use countermeasures

The Protected View feature built into Microsoft Office makes the attack vector ineffective. You can use it to open attachments until Microsoft releases security fixes. Also, you should refrain yourself from obtaining Office files from untrusted locations.


Leave a Reply

Your email address will not be published. Required fields are marked *