Skip to content
Naked Security Naked Security

Microsoft patches Word zero-day booby-trap exploit

All versions of Office on all versions of Windows are vulnerable to this zero-day that spreads malware, so make sure you patch quickly

Microsoft Tuesday patched a previously undisclosed Word zero-day vulnerability attackers used to install a variety of malware on victims’ computers.

The zero-day first came to light late last week. In its investigation, SophosLabs determined that exploits against the vulnerability had been happening for some time. SophosLabs principal researcher Gábor Szappanos estimated that most of the activity occurred in March-April 2017, but the first sample the lab located dates back to November 2016.

In its bulletin, Microsoft said the security update resolves vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. Of the fix, the software giant said, simply:

This security update disables certain graphics filters.

The vulnerability

On unpatched systems, the vulnerability is triggered by opening a document that provokes a benign-looking download warning, followed by a download from a booby-trapped server that sends a document of a more dangerous sort.

In this case, the booby-trapped server sends out a compiled HTML file with an embedded program script. Word accepts and runs the script without producing the warning you would expect to see.

It affects all current Office versions used on every Windows operating system, including the latest Office 2016 running on Windows 10. Attacks do not rely on enabled macros, so no warning for macro-laden documents will appear. The Dridex banking Trojan is among the malware being used in some of the exploits.

Details of the vulnerability were first released by McAfee and FireEye over the weekend. It’s the latest in a long line of bugs attackers can take advantage of through maliciously constructed files.

The United States Computer Emergency Readiness Team (US CERT), part of the Department of Homeland Security (DHS), issued its own advisory on the flaw:

The Microsoft OLE2Link object can open application data based on the server-provided MIME type, which can allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.

The exploits used in the wild have the following characteristics, CERT said:

  • The document that triggers the OLE2Link vulnerability is an RTF document that masquerades as a Microsoft Word DOC file.
  • The exploit connects to a remote server to obtain an execute an HTA file, which contains VBScript to be executed by the client.

This attack does depend on the user accepting a “load remote content” warning. Without that, the external content will not be pulled.

The patch and other defenses

Sophos detects the first stage RTF downloader used in these exploits as Troj/DocDrop-TJ, and the second stage HTA code as Troj/DocDrop-SU. Sophos customers are protected.

The ultimate solution here is to install Microsoft’s patch as soon as possible. For additional defenses for this and other threats, we suggest the following:

  • If you receive a Word document by email and don’t know the person who sent it, DON’T OPEN IT.
  •  It appears that attacks seen in the wild thus far can’t bypass the Office Protected View, which means enabling it may provide some extra protection.
  • Use an anti-virus with an on-access scanner (also known as real-time protection). This can help you block malware of this type in a multi-layered defense, for example, by stopping the initial booby-trapped word file, preventing the Dridex download, blocking the downloaded malware from running, and finding and killing off the Dridex malware in memory.
  • Consider stricter email gateway settings. Some staff are more exposed to malware-sending crooks than others (such as the order processing department), and may benefit from more stringent precautions, rather than being inconvenienced by them.
  • Never turn off security features because an email or document says so. Documents such as invoices, courier advisories and job applications should be legible without macros enabled.


8 Comments

Hi Team,

Do we know what patch fixes the vulnerability?

Is it a part of the Monthly Security Roll Up?

Kind Regards,

this would be nice to know but as you noted its probably just part of “the roll-up”… still hate these roll-ups….

Indeed, it is part of one big security roll-up. Personally, I miss the individual bulletins, where you can quickly zero in on which versions are affected, how the vulnerability can be exploited, etc. But that aside, if you deploy the update that is now linked to in the story, it will include the fix for this.

I agree with these guys that you should put the update info into the article. Hopefully this is the right thing: https://support.microsoft.com/en-us/help/3178702/description-of-the-security-update-for-office-2016-april-11-2017

Yes, and so we have. I meant to put it in the story last night and then missed the step. Feel free to pick on me relentlessly!

Hi. You state in the article that “Sophos customers are protected”. What version of Rules or Engine ensures that we are protected? While our IDE Rules were updated on 12 April and our engine was updated on 5 April, I would like to be able to provide the information to upper management so they may sleep better.

Yes please, let us know which Sophos version update is covered ?

The detection name Troj/DocDrop-SU was delivered in the IDE (identity) file spora-u.ide, timestamped on my Mac to 2017-04-10T20:42Z. This blocks the HTA malware component that is delivered because of the exploit – that’s the part that makes the attack work.

We added Troj/DocDrop-TJ to mop up the precursor RTF files as well in the IDE zbot-lpa.ide, timestamped for me at 2017-04-13T00:04Z. You don’t need this one to stop this malware, but it does add an earlier layer of blockage for attacks we’ve seen, so why not?

Like this:

duck@testmac:/Library/Sophos Anti-Virus/IDE$ ls -l spora-u.ide zbot-lpa.ide
-r--r--r-- 1 root admin 20336 10 Apr 21:42 spora-u.ide
-r--r--r-- 1 root admin 38388 13 Apr 01:04 zbot-lpa.ide
duck@testmac:/Library/Sophos Anti-Virus/IDE$

(Those timestamps above are British Summer Time. That’s UTC+1, one hour ahead of Zulu time.)

I think the default update check period is every 10 minutes, so if you don’t have those IDE files yet then your updating is broken (e.g. expired password) or misconfigured (e.g. turned off) – please contact Support to get that sorted out!

PS. Don’t tell anyone I told you this. We aren’t really supposed to do product support on Naked Security, for obvious reasons :-)

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?