Microsoft is yet to patch the vulnerability, though a fix is expected tomorrow as part of the monthly Patch Tuesday

Apr 10, 2017 09:40 GMT  ·  By

Security researchers at FireEye revealed a zero-day vulnerability in Microsoft Word that can be used to deploy malware on unpatched systems with just a malicious RTF document.

The worst thing in this new disclosure is that the security flaw is not yet patched, and although Microsoft has been working with FireEye to develop a fix, the company decided to go public with these details because of the growing number of attacks happening lately and after another vendor disclosed them publicly too.

Specifically, an attacker who wants to take advantage of this security vulnerability needs to trick the victim into opening a malicious RTF document on their computer, and to do this, they send the file via email. Once launched, this document executes a Visual Basic script that connects to a remote server to download additional payloads.

Patch possibly coming tomorrow

A successful exploit can bypass most mitigations, FireEye warns, and this is why it’s critical for users to deploy the patch as soon as Microsoft releases it. FireEye has more information on how an attack works on unpatched Windows computers:

“The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file.

“The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.”

Microsoft is expected to provide a fix tomorrow as part of the Patch Tuesday rollout, and users are recommended to avoid opening RTF documents coming from unknown sources. These documents are typically spreading via email, so just mark as spam any suspicious messages to remain protected until a patch lands.