• Booby-trapped Word documents in the wild exploit critical Microsoft 0day

    The exploit appears in a Word doc attached to an email message. When you open the doc, it has an embedded link that retrieves an executable HTML file which looks like an RTF file. Apparently, all of that happens automatically.

    The downloaded file loads a decoy that looks like a document, so the user thinks they’re looking at a doc. It then stops the Word program to hide a warning that would normally appear because of the link.

    Very clever. It works on all versions of Windows, including Win10. It works on all versions of Office, including Office 2016.

    Good overview by Dan Goodin at Ars Technica.

    Technical analysis by Genwei Jiang at FireEye

    FireEye shared the details of the vulnerability with Microsoft and has been coordinating for several weeks public disclosure timed with the release of a patch by Microsoft to address the vulnerability. After recent public disclosure by another company, this blog serves to acknowledge FireEye’s awareness and coverage of these attacks.

    Likely cause of the rush to disclose from Haifei Li at McAfee.

    McAfee’s recommendation:

    • Do not open any Office files obtained from untrusted locations.
    •  According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.

    More details in my InfoWorld Woody on Windows post.