The vulnerability, first discovered by MacAfee, allows an attacker to bypass security measures in the program, and is linked to the Object Linking and Embedding function in Word. These files are used to load and execute a final Visual Basic script.
Targeted individuals receive an email with an attached document, formatted as.RTF (Rich Text Format). The researchers went on to elaborate how the attack is made possible.
Initially, McAfee researchers said the earliest attack detected was in January this year, explaining samples suggested that Microsoft Word files were being laced with malware and could hit all versions of Office, including the latest software running on Windows 10. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft. They added that the vulnerability enables attackers to download and execute malware payloads from different well-known malware families. The.hta content is said to be disguised as a normal RTF file to evade security products. The pattern of the exploit begins with the penetration process. "[Attackers] could accomplish this by sending a specially crafted file to the user and then convincing the user to open the file", continued Sarwate. Computer users whose systems are not set for auto updates should run manual updates.
The initial winword.exe method is dismissed in order to confuse a user prompt produced by the OLE2link. Since then, the company reported observing several cases where attacks were leveraging the faulty code.
McAfee says the exploit, which affects all versions of Office is yet to be patched, although Microsoft is reportedly working on a fix.
Cyber security firm Proofpoint warned yesterday that the exploit was being used to spread the trojan software - called Dridex. Be on the lookout for communications from Microsoft around this matter.
The tech giant, which has remained tight-lipped in the face of such a serious cybersecurity issue, is expected to push out a patch this week (11 April).
Since the attack does not work when a malicious document is viewed in Office Protected View feature, users are advised to enable this feature to view any Office documents.