All Versions of Microsoft Word Vulnerable to Malware Exploit
It was disclosed this week that cybercriminals are using an advanced malware exploit, a vulnerability that’s present in all versions of Microsoft Word, including Office 2016 for Windows 10. The weakness allows hackers to silently install ransomware or other forms of malware on a fully patched computer.
This Malware Exploit Is Malicious
The flaw is particularly dangerous because unlike other Word exploits, the attack does not require macros to be enabled. This vulnerability is also significant because it’s present in Windows 10, which experts generally agree is Microsoft’s most secure operating system yet.
The issue actually lies in the Windows Object Linking and Embedding (OLE) technology, which Office programs like Word use to link with or embed objects created by other programs. For example, OLE enables users to link or embed a Microsoft Excel table within a Word document. When users modify the table via Excel, the changes automatically appear when viewed from within Word.
In this attack, criminals exploit the OLE weakness by embedding a malicious OLE2link object inside a Microsoft Word document. A phishing campaign is typically used to distribute the infected document to target victims. When opened, the document follows the OLE2link and retrieves the malware from a remote server, executes it, and installs the malicious code.
Enable Protected View mode
IDG news correspondent, Lucian Constantin says “. . . users should be wary of documents received from untrusted sources and should enable the Office Protected View mode because it can block this attack.”
To enable Protected View in Microsoft Word:
- Click File, Options, Trust Center
- Click Trust Center Settings
- Select Protected View and make sure all three boxes are checked
The Scope Is Unknown
At this point, we don’t know how long cybercriminals have exploited this specific vulnerability, or how many organizations have been impacted. But we do know that similar, zero-day attacks are always present and that this type of advanced malware will defeat and bypass conventional malware detection products.
Dan Goodin over at Ars Technica is not impressed with Microsoft’s lackadaisical attitude: “Once known for openly discussing its security challenges, Microsoft over the past year has grown increasingly reticent. Whereas it used to issue useful, actionable guidance when zero-days became public, company officials often decline comment or, worse, dispense with marketing flackery.”
Fortunately, Lastline’s Deep Content Inspection is capable of seeing and evaluating everything that happens within the CPU, memory, and entire host. When advanced malware uses other programs to carry out malicious acts, Microsoft Word, in this case, Lastline can see that Word is behaving inappropriately. Lastline detects every attempt to retrieve objects from dangerous sites or execute malicious tasks such as modifying registry keys, altering the boot sequence, disabling security features, and more.
In comparison, sandboxes and other competing tools have very limited visibility. Only Lastline can see and evaluate everything that occurs within the malware, other programs, the operating system, and the kernel.
Learn more about how Lastline Enterprise can help any organization fight advanced malware attacks.
Latest posts by Brian Laing (see all)
- Protection from Malicious Links - September 22, 2017
- Drive-By Downloads and How to Prevent Them - September 21, 2017
- Combining Lastline and Carbon Black for End-to-End Malware Analysis - September 14, 2017