Microsoft Word RTF Documents Vulnerable To Dangerous Zero-Day Exploit

As always, be wary of opening email attachments, especially from untrusted sources. Security outfits FireEye and McAfee have both observed malicious Microsoft Office RTF documents in the wild that are exploiting a zero-day vulnerability in Microsoft Windows and Office that has not yet been patched. The samples observed are organized as RTF files with the .doc extension and appear as Word files.

The vulnerability allows an attacker to execute a malicious Visual Basic script when the user opens the document containing an embedded exploit. FireEye says it has seen several Office documents exploiting this particular vulnerability that download and execute malware payloads from different well-known malware families. Furthermore, FireEye says the unpatched vulnerability is able to bypass most mitigations.

"The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script," FireEye explains.

To avoid detection, the malicious script terminates the winword.exe process. It then downloads additional payloads while displaying to the user a decoy document. This way the user is completely unaware that his or her system has been compromised and that malicious code is running in the background.

McAfee said it notified the Microsoft Security Response Center as soon as it discovered samples taking advantage of the exploit. While Microsoft works on a patch, McAfee recommends not opening any Office files obtained from untrusted sources, and also enabling Office Protected View.

Image Source: Flickr (Julien GONG Min)