OLE 0day affects nearly all versions of Microsoft Word
Security issues with Word documents are nothing new, but they have a tendency to rely on macros -- something which users have learned to become very wary of. But now security firms FireEye and McAfee have discovered a new attack strategy that takes advantage of Windows Object Linking and Embedding (OLE).
The attack can be used to infect even a fully patched computer with malware, and it is believed to be effective in most -- if not all -- versions of Microsoft Word, and Windows 10 offers no protection. The 0day works by using code embedded in a document to pull in malware from a remote server, using various techniques to hide what is going on.
McAfee revealed some details of the attack just before the weekend: "The samples we have detected are organized as Word files (more specially, RTF files with '.doc' extension name). The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. The earliest attack we have seen dates to late January. The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file. Because .hta is executable, the attacker gains full code execution on the victim’s machine. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft."
While the RTF file may seem harmless, there is actually a Visual Basic script embedded in it which is used to unleash the payload. FireEye explains how an attack could manifest:
The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.
If successfully picked up, malicious documents are flagged up as Malware.Binary.Rtf. FireEye has been working with Microsoft, but a patch is yet to be released.