Major zero-day flaw found in Microsoft Word

The vulnerability, which affects all versions of Office, is exploited via attached .rtf files. A fix is in the latest Patch Tuesday release.

Major zero-day flaw found in Microsoft Word
Credit: Thinkstock

McAfee security researchers are warning of a new zero-day vulnerability in Microsoft Word being exploited via attached .rtf files since at least January.

The exploit allows a Word document to install malware onto your PC without you ever knowing it, giving the attackers full access to your machine. According to McAfee, the exploit works by connecting to a remote server controlled by the hackers, which will download a file that runs as a .hta file, a dynamic HTML file that is used in Word. 

Security firm FireEye also noted similar malicious .rtf files in its own alert. Both firms say the flaws are within Microsoft's Object Linking and Embedding (OLE) technology and affects all versions of Office, including Office 2016 for Windows 10.

Once you double click the rtf file and the hta executes, at that point, the attacker will have full access to the victim's machine.

"This is a logical bug, and it gives the attackers the power to bypass any memory-based mitigations developed by Microsoft," writes Haifei Li of McAfee in a blog post documenting the vulnerability.

Li said McAfee has notified the Microsoft Security Response Center and recommends common sense: do not open any Office files obtained from untrusted locations. It also reports that this attack cannot bypass the Office Protected View, which sandboxes Office document files so they can’t write to disk. It, therefore, suggests everyone have Office Protected View is enabled.

The good news is a fix was pushed out yesterday as part of a massive Patch Tuesday series of fixes, so if you have not run Windows Update, do it now.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10