Here's why you should be wary of Microsoft Word attachments right now

Elizabeth Williams
April 23, 2017

The yet-to-be-patched vulnerability lets hackers remotely execute code on a targeted computer by luring users into opening a Word document which contains an embedded exploit.

Proofpoint said it's testing revealed computers infected with the malware to be "fully exploited" and recommended that "because of the widespread effectiveness and rapid weaponisation of this exploit, it is critical that users and organisations apply the patch as soon as possible".

Researchers at McAfee said that, unlike common Word document attacks, this flaw doesn't rely on macros to execute.

However, this zero-day exploit, which affected all versions of Office, worked differently than traditional Word-related vulnerabilities which involve the documents itself.

The attack was capable of bypassing numerous mitigation systems built into Microsoft Office and Windows created to stop malicious files from executing. McAfee has been in contact with Microsoft and the company is expected to release an update to the anti-virus app that further closes the flaw this week for its habitual Patch Tuesday bug release, BBC has reported.

"We work very closely with Microsoft on a regular basis ... Although attacks relying on document exploits are increasingly uncommon, they certainly remain in attackers' toolkits", comments Sherrod DeGrippo, director of Emerging Threats for Proofpoint.

To mitigate the security flaw, users should download the most recent patch from Microsoft.

Worryingly, the vulnerability now remains active, but Microsoft has pledged the bug will be nixed when the monthly security update rolls out on April 11. Disabling Macros does not offer any protection.

Details of the vulnerability were first released by McAfee and FireEye over the weekend.

Once the damage is done, a fake Word document is shown to the user, but at that point it is too late-malware is already installed on the machine. Also, users are urged to activate or enable Microsoft Office's Protected View. When the user begins the document, winword.exe concerns an HTTP request to a remote server to recover a malicious.hta file, which seems as a fraudulent RTF file. Also, you should refrain yourself from obtaining Office files from untrusted locations.

Other reports by VgToday

Discuss This Article