Late last week, McAfee (who is recently separated from Intel) identified and reported a zero-day flaw in Microsoft Word that allows attackers to take advantage of vulnerabilities in .doc files. This problem affects all versions of Word and Windows – including the latest versions of Office 2016 and Windows 10.
Then, on Saturday, FireEYE confirmed the flaw on its own blogs: Acknowledgement of Attacks Leveraging Microsoft Zero-Day
The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.
The vulnerability is bypassing most mitigations; however, as noted above, FireEye email and network products detect the malicious documents. Microsoft Office users are recommended to apply the patch as soon as it is available.
No word yet from Microsoft if the company will work to deliver an out of band fix.
UPDATE April 11, 2017: Microsoft Plugs Open Hole in Word that Was Being Actively Exploited
Looking for an awesome, no-nonsense technical conference for IT Pros, Developers, and DevOps? IT/Dev Connections kicks off in San Francisco in 2017!