A new Zero-Day attack in the wild has been reported in Microsoft Office, one of the three serious flaws under attack. Microsoft on Tuesday released a set of patches to address the security issues.
According to few security firms, to exploit the flaw, the attackers are sending word documents infected with malware called Dridex – perilous bank-fraud threats on the web. And few other security firms reported that the same bug is being exploited by the attackers to install malware which is termed as Latenbot and Godzilla.
McAfee, a security firm was the first to report the Zero-Day attack on Friday in their blog post. Another security firm FireEye said that they were communicating about the vulnerability with Microsoft for quite a few weeks and agreed not to go public until Microsoft releases the patch. Since McAfee disclosed about the vulnerability, FireEye too decided to publish the details of the vulnerability in their Saturday’s blog post.
How Is The Flaw Being Exploited by The Attackers?
Attackers are sending emails with malware concealed Word document as an attachment to the millions of users. Once the document is opened, the exploit code hidden inside it connects to the attacker’s remote server. Then it starts downloading a malign HTML file that looks a Microsoft’s Rich Text Format document. But in the background, the .hta file downloads extra contents from various renowned malware communities.
Why Is This a Noteworthy Attack?
Since .hta file is feasible, the attackers will be able to execute the full code on victim’s system. And this gives the attackers the power to evade any memory-based modifications developed by Microsoft. Which means, the malware is capable of working against Windows 10 as well. Secondly, this attack does not require the victims to enable macros unlike the previous Word’s exploits in the wild. And the last one, in order to hide any signs of the attack that just took place, the exploit will open a word document to entrap the targets.
How to Prevent The Microsoft Zero-Day Exploit?
Microsoft’s security experts released the patch on Tuesday for the flaws in the software which includes, Exchange Server, Adobe Flash, and Windows OS. Install the updates at the earliest. You can also block the code execution exploit by adding the following to your Windows Registry:
Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles to 2 and OpenInProtectedView to 0.
It is also observed that the exploits can still bypass even if you view the document in ‘Protected View’ feature.
Other Zero-Day Attacks on Microsoft Products
The attackers were not only exploiting Microsoft Word in the wild but also their other two products as well. One being the Internet Explorer, where the attackers can gain access to sensitive data from one domain and add into another. The exploit can bypass security sand-box and other security protections. The Internet Explorer flaw is being exploited, but there were no elaborate details in Microsoft’s ‘guidance for CVE-2017-0210’.
The third one also exists in office 2010, 2013 and 2016. When you open a malign EPS image in Word document, the flaw will be exploited. The security patch for this was not part of Tuesday’s release.
Conclusion
Microsoft did release the security patch to tackle the Word Zero-day attack. If in case you have any hardware problem with your computer and unable to access the data, the best choice is to look a software that does data recovery for Windows and Mac.
