One More Reason to be Wary of Word Docs From Strangers
Microsoft will be releasing a patch tomorrow that closes a hole in Word that allows an attacker to execute code of the attacker’s choice in the victim’s computer, even if it is a fully patched Windows 10 PC and the user doesn’t have to enable macros or do anything after opening the attachment in the email.
Apparently, FireEye has been working with Microsoft for weeks on patching this bug, but McAfee just had to claim credit (undeserved) for the bug that FireEye had found weeks earlier by making a premature announcement about it.
The good news is that if you install your Microsoft patches tomorrow, it will be a non-issue.
Once you click on the Word document to open it, it downloads code from the Internet (using OLE, that ancient system that Microsoft won’t kill). The code is designed to look like an (infected) Word document. After the infected Word document infects your machine, it closes itself and opens a benign document to hide its tracks.
The attack can download any of a variety of nasty stuff. It’s great that the code is modular (not!).
It has been reported that if you open the document in Protected View and DO NOT enable editing, the attack will not work. Protected View, is, I believe, the default for opening documents from the Internet, but may not be the default for documents in email.
Normally, these attacks require the victim to enable macros, which are disabled by default for just this reason, but this attack uses OLE (spit, gasp, snarl), so it gets around the macro security issue.
The good news, if there is any here, is that attackers generally want to keep 0-Day (not generally known attacks) attacks below the radar, so they would not normally use one in a large email spray-and-pray attack; likely you would need to be targeted for the attack. If the attacker can keep the attack quiet, likely the anti-malware vendors won’t find out about it and the attacker can use it longer.
A good rule of thumb would be to be very cautious when opening Word documents received via email.
Information for this post came from Ars Technica.