Microsoft patches Word zero-day booby-trap exploit

Microsoft Tuesday patched a previously undisclosed Word zero-day vulnerability attackers used to install a variety of malware on victims’ computers.

The zero-day first came to light late last week. In its investigation, SophosLabs determined that exploits against the vulnerability had been happening for some time. SophosLabs principal researcher Gábor Szappanos estimated that most of the activity occurred in March-April 2017, but the first sample the lab located dates back to November 2016.

In its bulletin, Microsoft said the security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. Of the fix, the software giant said, simply:

This security update disables certain graphics filters.

The vulnerability

On unpatched systems, the vulnerability is triggered by opening a document that provokes a benign-looking download warning, followed by a download from a booby-trapped server that sends a document of a more dangerous sort.

In this case, the booby-trapped server sends out a compiled HTML file with an embedded program script. Word accepts and runs the script without producing the warning you would expect to see.

It affects all current Office versions used on every Windows operating system, including the latest Office 2016 running on Windows 10. Attacks do not rely on enabled macros, so no warning for macro-laden documents will appear. The Dridex banking Trojan is among the malware being used in some of the exploits.

Details of the vulnerability were first released by McAfee and FireEye over the weekend. It’s the latest in a long line of bugs attackers can take advantage of through maliciously constructed files.

The United States Computer Emergency Readiness Team (US CERT), part of the Department of Homeland Security (DHS), issued its own advisory on the flaw:

The Microsoft OLE2Link object can open application data based on the server-provided MIME type, which can allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.

The exploits used in the wild have the following characteristics, CERT said:

  • The document that triggers the OLE2Link vulnerability is an RTF document that masquerades as a Microsoft Word DOC file.
  • The exploit connects to a remote server to obtain an execute an HTA file, which contains VBScript to be executed by the client.

This attack does depend on the user accepting a “load remote content” warning. Without that, the external content will not be pulled.

The patch and other defenses

Sophos detects the first stage RTF downloader used in these exploits as Troj/DocDrop-TJ, and the second stage HTA code as Troj/DocDrop-SU. Sophos customers are protected.

The ultimate solution here is to install Microsoft’s patch as soon as possible. For additional defenses for this and other threats, we suggest the following:

  • If you receive a Word document by email and don’t know the person who sent it, DON’T OPEN IT.
  •  It appears that attacks seen in the wild thus far can’t bypass the Office Protected View, which means enabling it may provide some extra protection.
  • Use an anti-virus with an on-access scanner (also known as real-time protection). This can help you block malware of this type in a multi-layered defense, for example, by stopping the initial booby-trapped word file, preventing the Dridex download, blocking the downloaded malware from running, and finding and killing off the Dridex malware in memory.
  • Consider stricter email gateway settings. Some staff are more exposed to malware-sending crooks than others (such as the order processing department), and may benefit from more stringent precautions, rather than being inconvenienced by them.
  • Never turn off security features because an email or document says so. Documents such as invoices, courier advisories and job applications should be legible without macros enabled.