CATEGORIES
home News

Hackers Exploit Microsoft Word Auto-Updating Links To Install Spyware

by Paul LillyFriday, August 18, 2017, 11:59 AM EDT
Microsoft Bug

A freelance security consultant and Handler at SANS Internet Storm Center has discovered a rather interesting exploit in Microsoft Word, one that allows an attacker to abuse the productivity program's ability to auto-update links. This is a feature that is enabled by default—when you add links to external sources like URLs, World with automatically update them without any prompts. Therein lies the issue.

"The infection vector was classic: The document (‘N_Order#xxxxx.docx with 5 random numbers) was received as an attachment and has a VT score of 12/59 this morning. The file has an embedded link to another document which is a malicious RTF file that tries to exploit the CVE 2017-0199," security consultant Xavier Mertens explains in a blog post outlining the vulnerability.

Links
Image Source: Xavier Mertens

CVE 2017-0199 pertains to a vulnerability that allows a hacker to download and execute a Visual Basic script containing PowerShell commands when the user opens a document containing an embedded exploit. Security outfit FireEye said back in April that it observed Office documents exploiting CVE-2017-0199 that download and execute malware payloads from different well-known malware families.

In this case, the Word files tries to access the malicious RTF file. If it succeeds, it downloads a JavaScript payload. According to Mertens, the link update is triggered without user interaction or without a prompt warning to the user that such an action will take place.

This seems to be attracting the attention of malicious agents. In addition to FireEye seeing CVE 2017-0199 being exploited in the wild, so has Trend Micro. In a recent blog post, Trend Micro said it saw the former zero-day remote code vulnerability being used with PowerPoint.

"We recently observed a new sample (Detected by Trend Micro as TROJ_CVE20170199.JVU) exploiting CVE-2017-0199 using a new method that abuses PowerPoint Slide Show—the first time we have seen this approach used in the wild before," Trend Micro said.

Bottom line? Keep your head on a swivel, and your AV software updated.
Tags:  Microsoft, Malware, security, Spyware, (nasdaq:msft), microsoft word
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment