Microsoft Word users should update the application to fix a zero-day bug that has been "used to infect millions", say researchers.
Updated: Hackers are taking advantage of a newly revealed Microsoft Word zero-day to mount a very large campaign infecting the systems of millions of recipients across numerous organisations, with Australian companies being the main targets.
Cyber criminals are exploiting the vulnerability to spread Dridex malware, according to a blog post by IT security firm Proofpoint. Victims are sent an attached Microsoft Word RTF (Rich Text Format) document via email – the malware exploits a vulnerability related to Windows Object Linking and Embedding (OLE). Researchers said this exploit bypasses most mitigations.
When recipients open the document, the exploit, if successful, is used to carry out a series of actions that lead to the installation of Dridex botnet ID 7500 on the user’s system.
The researchers said that in testing, a vulnerable system was fully exploited even though users were presented a dialogue about the document containing “links that may refer to other files” (user interaction was not required).
“The Microsoft OLE2Link object can open application data based on the server-provided MIME type, which can allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system,” according to an advisory by CERT at the Software Engineering Institute at Carnegie Mellon University.
Unusually, users do not have to enable macros for the exploit to work. Documents with macros are normally blocked from working by security features in Office and Windows.
Researchers said that campaign was the first they had observed that uses the newly disclosed Microsoft zero-day bug.
“This represents a significant level of agility and innovation for Dridex actors,” said researchers. "This campaign was sent to millions of recipients across numerous organizations primarily in Australia."
We asked Microsoft whether it had seen evidence of the mass email campaign. The vendor released its patch for the flaw yesterday, but this would be too late for anyone who had clicked on a malicious email before then.
A Microsoft spokesperson said that the flaw "was addressed in the April security update release on April 11, 2017. Customers who applied the update, or have automatic updates enabled, are already protected.”
Sherrod DeGrippo, director of Emerging Threats at Proofpoint, said that threat actors continue to demonstrate their flexibility and adaptability, rapidly taking advantage of new means of infecting users.
"Although attacks relying on document exploits are increasingly uncommon, they certainly remain in attackers' toolkits. New, exploitable vulnerabilities are often not readily available but, in this case, attackers obviously jumped at an opportunity to launch a large campaign that relied on this new exploit,” he said.
Microsoft releases update to patch Word bug
Earlier, Microsoft had announced a patch for a flaw in Microsoft Word that allowed hackers to gain access to a victim's machine.
The company said it would fix the bug, which surfaced last weekend, as part of this week’s “Patch Tuesday”.
A Microsoft spokesman said on Monday: "We plan to address this through an update on Tuesday April 11, and customers who have updates enabled will be protected automatically.
"Meanwhile we encourage customers to practise safe computing habits online, including exercising caution before opening unknown files and not downloading content from untrusted sources to avoid this type of issue."
And we'd strongly recommend that users ensure Microsoft Word/Office has the latest updates.
Zero-day Word bug could allow hackers to take over PCs
The patch came after security researchers at two companies had revealed a flaw in Microsoft Word that could allow hackers to gain full access to a victim’s machine.
A previously undisclosed vulnerability in Microsoft Office RTF documents enables a hacker to execute a Visual Basic script when the user opens a malicious document sent to them containing an embedded exploit, according to FireEye and McAfee.
Researchers found several malicious Office documents exploiting the vulnerability, which downloads and executes malware payloads from different well-known malware families.
The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file, according to a blog post by McAfee. Because .hta is executable, the attacker gains full code execution on the victim’s machine.
“Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft,” said Haifei Li, senior vulnerability researcher at McAfee.
He added that the successful exploit closes the bait Word document, and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim’s system. Li said that the root cause of the zero-day vulnerability is related to Windows OLE.
Genwei Jiang, senior research engineer at FireEye, said that Microsoft Office users are recommended to apply a patch as soon as one is available. He added that FireEye has updated its email and network products to detect the attack.
In tests carried out by McAfee, Li said the attack cannot bypass the Office Protected View. He suggested that users enable Office Protected View.
Microsoft’s Patch Tuesday release of fixes is due tomorrow. There is no word on whether this bug will be fixed in that set of updates.