All Versions of Microsoft Word Vulnerable to Malware Exploit

All Versions of Microsoft Word Vulnerable to Malware Exploit

It was disclosed this week that cybercriminals are using an advanced malware exploit, a vulnerability that’s present in all versions of Microsoft Word, including Office 2016 for Windows 10. The weakness allows hackers to silently install ransomware or other forms of malware on a fully patched computer.

Contemplating the next move at office

This Malware Exploit Is Malicious

The flaw is particularly dangerous because unlike other Word exploits, the attack does not require macros to be enabled. This vulnerability is also significant because it’s present in Windows 10, which experts generally agree is Microsoft’s most secure operating system yet.

The issue actually lies in the Windows Object Linking and Embedding (OLE) technology, which Office programs like Word use to link with or embed objects created by other programs. For example, OLE enables users to link or embed a Microsoft Excel table within a Word document. When users modify the table via Excel, the changes automatically appear when viewed from within Word.

In this attack, criminals exploit the OLE weakness by embedding a malicious OLE2link object inside a Microsoft Word document. A phishing campaign is typically used to distribute the infected document to target victims. When opened, the document follows the OLE2link and retrieves the malware from a remote server, executes it, and installs the malicious code.

Enable Protected View mode

IDG news correspondent, Lucian Constantin says “. . . users should be wary of documents received from untrusted sources and should enable the Office Protected View mode because it can block this attack.”

malware exploit prevention in Microsoft Word with trust center settings

To enable Protected View in Microsoft Word:

  • Click File, Options, Trust Center
  • Click Trust Center Settings
  • Select Protected View and make sure all three boxes are checked


The Scope Is Unknown

At this point, we don’t know how long cybercriminals have exploited this specific vulnerability, or how many organizations have been impacted. But we do know that similar, zero-day attacks are always present and that this type of advanced malware will defeat and bypass conventional malware detection products.

Dan Goodin over at Ars Technica is not impressed with Microsoft’s lackadaisical attitude: “Once known for openly discussing its security challenges, Microsoft over the past year has grown increasingly reticent. Whereas it used to issue useful, actionable guidance when zero-days became public, company officials often decline comment or, worse, dispense with marketing flackery.”

Lastline Enterprise

Fortunately, Lastline’s Deep Content Inspection is capable of seeing and evaluating everything that happens within the CPU, memory, and entire host. When advanced malware uses other programs to carry out malicious acts, Microsoft Word, in this case, Lastline can see that Word is behaving inappropriately. Lastline detects every attempt to retrieve objects from dangerous sites or execute malicious tasks such as modifying registry keys, altering the boot sequence, disabling security features, and more.

In comparison, sandboxes and other competing tools have very limited visibility. Only Lastline can see and evaluate everything that occurs within the malware, other programs, the operating system, and the kernel.

Learn more about how Lastline Enterprise can help any organization fight advanced malware attacks.

Brian Laing

Brian Laing

For more than 20 years, Brian Laing has shared his strategic business vision and technical leadership with a range of start-ups and established companies in various executive level roles. The author of “APT for Dummies,” he was previously vice president of AhnLab, where he directed the US operations of the internationally known security and software leader. Brian previously founded Hive Media where he served as CEO. He co-founded RedSeal Systems, where he conceived the overall design and features of the product and was granted two patents related to network security. He was also founder and CEO of self-funded Blade Software, who released the industry’s first commercial IPS/FW testing tool.
Brian Laing