The exploit appears in a Word doc attached to an email message. When you open the doc, it has an embedded link that retrieves an executable HTML file
[See the full post at: Booby-trapped Word documents in the wild exploit critical Microsoft 0day]
![]() |
There are isolated problems with current patches, but they are well-known and documented on this site. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
-
Booby-trapped Word documents in the wild exploit critical Microsoft 0day
Home » Forums » Newsletter and Homepage topics » Booby-trapped Word documents in the wild exploit critical Microsoft 0day
- This topic has 50 replies, 13 voices, and was last updated 6 years ago.
AuthorTopicwoody
ManagerViewing 27 reply threadsAuthorReplies-
satrow
AskWoody MVPHmm, Script Defender might provide protection from this as it intercepts several scripting calls, including .hta. I don’t know whether it will install/work on W8 > 10 though.
http://www.analogx.com/contents/download/System/sdefend/Freeware.htm
1 user thanked author for this post.
-
lurks about
AskWoody Lounger -
satrow
AskWoody MVPIt’s an HTML Application, probably IE (maybe Edge)-only, .hta: https://msdn.microsoft.com/en-us/library/ms536496%28v=vs.85%29.aspx though I haven’t studied (nor am I qualified to) the internals of this exploit.
2 users thanked author for this post.
-
anonymous
GuestThank you for the link. I did a CRTL+F search for ActiveX and this is what I garnered.
I’m wondering if only disallowing ActiveX would mitigate the HTA’s payload.
-
-
JNP
AskWoody LoungerThe FireEye post contains this sentence: “The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file.” Does this mean that if one opens a Word file not in MS Word, programs such as WordPerfect or Open Office, the malicious code will not execute?
-
satrow
AskWoody MVPI think the .hta file would directly trigger IE to run it as ‘just’ another executable, thus my earlier reply suggesting Script Defender to intercept this and other rare scripting calls. I’m unsure whether a more basic MS, or a non-MS .doc handling would also allow an hta component to be passed on to IE.
If the .doc software was disallowed from accessing the Internet, that might also be a workaround.
-
JNP
AskWoody LoungerThanks for the reply, I’ve installed Scripts Defender, everybody if you do this, read the install notes because there is a certain thing one has to do to properly remove SD. Here’s my question: Do I have to put SD in the Windows Startup folder and keep it running for full protection? I imagine I could also just launch it when I receive a Word Document as well. Again, thanks.
1 user thanked author for this post.
-
satrow
AskWoody MVP -
JNP
AskWoody LoungerYes, thanks so much. A test.vbs file does launch Script Defender (SD), but, as you are assuming a fact not in evidence, I am not a dummy :), if SD indicates there is a script, one either bugs out of the Word file or one aborts running the VBS when prompted by SD, right? Once again, thanks.
-
satrow
AskWoody MVPIf a file type set to be intercepted by SD is launched, SD will leap into action, as you have witnessed. If the interception is unexpected, it should be aborted, at least until you’ve had time to figure out how/what launched the script.
There are very few softwares/installers that use the default intercepted script types (I only have one, rarely updated) but your software usage is probably very different to mine.
What can be a nuisance is where WinPatrol is also installed, on installation of SD it will intercept the change in default handler for (most? of) those file types, so just allow the changes.
Obviously, if you do use a lot of those script types, say *.vbs, SD can also become something of a nuisance but I feel those few extra seconds clicking away the SD popup are worth the extra feedback and potential data/monetary security.
-
JNP
AskWoody LoungerMany thanks, once again. Funny you should mention WinPatrol, I do use it, but allowed SD to make the changes, so SD did what it should do when I ran a test.vbs file.
Also for everybody, there does not appear to be a Protected View option for versions of Word before Word 2010: https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653 .
1 user thanked author for this post.
-
-
-
-
anonymous
Guest -
anonymous
Guest
Noel Carboni
AskWoody_MVPwinword.exe issues a HTTP request to a remote server …
I’d be interested in knowing specifically what web site it contacts; I probably already have it blacklisted, but if not it would certainly be a good site to add to the lists. Unfortunately, in all the “for public” releases that information has been redacted.
All these “news” releases appear to seek to sell users security software rather than to inform the public of threat specifics so they can protect against it directly.
Also, several sites mention using “Protected View”, but I didn’t note any specific instructions for ensuring Office “Trust Center” settings are proper (e.g., File – Options, choose Trust Center, etc.)
-Noel
-
anonymous
GuestThe main artical has a link to “What is Protected View”, perhaps it was added after your comment.
I want to change my Protected View settings
We advise speaking with your administrator before you make changes to your Protected View settings.
Click File > Options.
Click Trust Center > Trust Center Settings > Protected View.
Make selections that you want.
1 user thanked author for this post.
-
anonymous
GuestI’d be interested in knowing specifically what web site it contacts
Yeah, what’s up with that? Go to the McAfee link and email them Noel and sent them your Post as a resume, and pursuade them to give up the IP. YOU CAN DO IT~~
Topic: A Description of My Quite Effective Security Environment (Long) @ AskWoody
JohnW
AskWoody PlusJohn in Mtl
AskWoody LoungerPart of my security strategy involves denying all applications access to the LAN and the WAN – a local software firewall (part of a 2-nd layer of protection) displays an ask/deny dialog for anything trying to execute in or out communication . I would venture that I’m protected from this threat because the firewall would block Word from fetching the malicious URL; yes, no?
However, if Word used any comm routines involving “svchost” before opening its GUI, then obviously I’m screwed because I allow svchost full access at all times. But I’ve never seen any MS Office app behave this way, ever! I only use Office 2003 & 2007, never will use 360 or any other cloud based office version.
-
anonymous
GuestLook at this again John,
The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file. Because .hta is executable, the attacker gains full code execution on the victim’s machine. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft. The following is a part of the communications we captured:
Yet at the bottom of the post they say that MS’s own Protected View (software based) will mitigate the payload by running/opening the file in a “restricted mode.”
Trust Center contains security & privacy settings
I don’t have a version of Office that incorpoates Protected View. Yet I have looked into MalewareBytes Anti-Exploit’s Advance Settings as seen in this review and see simalary terminology. So I think (and have seen it block web traffic) I’ll rest better. Plus I’m not exactly Zero-Day target material anywho.
JohnW
AskWoody PlusAll these “news” releases appear to seek to sell users security software rather than to inform the public of threat specifics so they can protect against it directly.
Yup. Saw this comment in the FireEye article…
“The vulnerability is bypassing most mitigations; however, as noted above, FireEye email and network products detect the malicious documents.”
Windows 10 Pro 22H2
1 user thanked author for this post.
JohnW
AskWoody PlusLook at this again John,
I don’t have a version of Office that incorpoates Protected View. Yet I have looked into MalewareBytes Anti-Exploit’s Advance Settings as seen in this review and see simalary terminology. So I think (and have seen it block web traffic) I’ll rest better. Plus I’m not exactly Zero-Day target material anywho.
FYI, MalwareBytes Anti-Exploit is now part of Malwarebytes 3.0 Premium. It is available as a 14 day free trial, that reverts to a free version malware scanner without real-time protection.
Windows 10 Pro 22H2
woody
ManagerProbably not so obvious from my write-up: Zero-days as juicy as this one are often the work of nation-states, so people like you and me don’t need to get too worked up. (Unless you’re providing high security support to a military organization.)
But as soon as the details are published, malware script manufacturers run around trying to replicate the infection scenario, all the better to sell the latest to script kiddies.
That’s why “responsible disclosure” really matters.
anonymous
GuestA patch is expected tomorrow as part of Patch Tuesday (see last sentence): http://www.zdnet.com/article/hackers-are-attacking-word-users-with-new-microsoft-office-zero-day-vulnerability/?loc=newsletter_large_thumb_featured&ftag=TRE17cfd61&bhid=20703193368173122880888901483479
1 user thanked author for this post.
-
woody
Manager
anonymous
Guestanonymous
Guestanonymous
GuestA tweet from the person who purportedly originally discovered this vulnerability:
“the vulnerability I discovered is exploited through Office, but that does not necessarily mean it is isolated to Office”
Given the description of the vulnerability, I agree.
2 users thanked author for this post.
MrBrian
AskWoody_MVPFixed in these updates:
Office 2016: https://support.microsoft.com/en-us/help/3178703/description-of-the-security-update-for-office-2016-april-11-2017
Office 2013: https://support.microsoft.com/en-us/help/3178710/description-of-the-security-update-for-office-2013-april-11-2017
Office 2010: https://support.microsoft.com/en-us/help/3141538/description-of-the-security-update-for-office-2010-april-11-2017
MrBrian
AskWoody_MVP-
anonymous
GuestFiltered
CVE-2017-019904/11/2017 4014793 Windows Vista Service Pack 2
04/11/2017 4014793 Windows Server 2008 for 32-bit Systems Service Pack 2
04/11/2017 4015549 Windows Server 2008 R2 for x64-based Systems Service Pack 1
04/11/2017 4014793 Windows Server 2008 for x64-based Systems Service Pack 2
04/11/2017 4014793 Windows Server 2008 for Itanium-Based Systems Service Pack 2
04/11/2017 4015549 Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
04/11/2017 4015551 Windows Server 2012
04/11/2017 4014793 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
04/11/2017 4014793 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
04/11/2017 4015549 Windows 7 for x64-based Systems Service Pack 1
04/11/2017 4015551 Windows Server 2012 (Server Core installation)
04/11/2017 4015549 Windows 7 for 32-bit Systems Service Pack 1
04/11/2017 4015549 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
04/11/2017 4014793 Windows Vista x64 Edition Service Pack 2
04/11/2017 3178710 Microsoft Office 2013 Service Pack 1 (64-bit editions)
04/11/2017 3178710 Microsoft Office 2013 Service Pack 1 (32-bit editions)
04/11/2017 3141529 Microsoft Office 2007 Service Pack 3
04/11/2017 3178703 Microsoft Office 2016 (32-bit edition)
04/11/2017 3141538 Microsoft Office 2010 Service Pack 2 (32-bit editions)
04/11/2017 3141538 Microsoft Office 2010 Service Pack 2 (64-bit editions)
04/11/2017 3178703 Microsoft Office 2016 (64-bit edition)1 user thanked author for this post.
MrBrian
AskWoody_MVPMrBrian
AskWoody_MVPAn important detail from CVE-2017-0199 | Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API:
“The update addresses the vulnerability by correcting the way that Microsoft Office and WordPad parses specially crafted files, and by enabling API functionality in Windows that Microsoft Office and WordPad will leverage to resolve the identified issue.”
It seems that both the Windows and an Office update are needed to make Office invulnerable to this vulnerability.
-
MrBrian
AskWoody_MVPIt seems my previous statement is likely correct. Operating systems before Windows 7 have a separate Windows update Security update for the Microsoft Office remote code execution vulnerability: April 11, 2017 that updates file ole32.dll and some other operating system files. Windows 7 and 8.1 have similar changes in the monthly rollups and security-only updates.
anonymous
GuestMBAE 1.09 – Latest standalone BETA
1.09.1.1384 4/12/2017New Features:
• Hardened and more secure API hooking framework
• Added self-protection mechanisms
• Added sandbox technique for Silverlight
• Added Layer3 techniques against Macro exploits
• Added Layer3 techniques against social engineering exploits
• Added Java advanced configuration options for companies
• Added dynamic configuration feature to manage conflicts
• Added support for MS Play Ready
• Changed balloon notification to off by default
• Remove Run entry during uninstallationFixes:
• Fixed conflict with Symantec DLP
• Fixed conflict with Chinese banking software
• Fixed conflict with Sophos AV
• Fixed Edge browser crashes on Windows Insider Preview builds
• Fixed MS Office application crashes with MBAE
• Fixed conflict with McAfee HIPS
• Fixed false positives with Java Protection Technique
• Fixed a logging issue for critical errors
• Fixed service restart issuesJonesy
AskWoody LoungerCrikey.
I don’t have Office X, just the Win7Pro 64 SP1 OS. I use OpenOffice 4.1.3 and Foxit PDF. When Dell and local Mr Fixit Computer Guy insist on turning on WU to Auto and installing the March patches without clearing it with me first, I feel like it’s you and me against the world.
Based on all the checking I’ve been doing this week, I think, I could be wrong, but I think I’m ok, despite getting a .doc from tcm.com with a return USPS label for some bad Adam-12. It has been decades since anyone has done that to me.
Just for that, they won’t get my MST3K The Joel Years order. The Mike Years will see me later.
Many thanks to Woody and all his compatriots for ramrodding this patch drive. Extra brews are due ye.
Still Learning
MrBrian
AskWoody_MVPAlexN
AskWoody LoungerForgive me if this question seems dumb, but why in the name of all things holy would these companies even operate under a system as dumb as “make the bug known, and if no fix comes in 60 days we’ll post the exploit in public where hackers can use it.”
Fortran, C++, R, Python, Java, Matlab, HTML, CSS, etc.... coding is fun!
A weatherman that can code-
b
ManagerMcAfee screwed up:
As to why the company published the blog post four days prior to Patch Tuesday, McAfee attributed it to a “glitch.”
“We had a glitch in our communications with our partner Microsoft that impacted a coordinated response to these attacks, which is being corrected,” writes Vincent Weafer, vice president of McAfee Labs. “We have nothing more to say at this time.”http://www.bankinfosecurity.com/blogs/did-microsoft-drop-ball-on-word-zero-day-flaw-p-2448
Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge
1 user thanked author for this post.
-
AlexN
AskWoody Lounger -
b
ManagerYour desperation to defend Windows (in particular, Windows10) led you to not even coming close to answering my question.
I answered your question completely and exactly, and it had nothing whatsoever to do with Windows 10.
Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge
-
-
zero2dash
AskWoody LoungerWas anyone able to test whether or not EMET protected against this?
The Ars article mentioned not knowing whether EMET did protect against it, but I see no confirmation either way.
I figure since many of us here are more stringent on ‘how’ we test, maybe someone’s covered that.
Just curious – TIA. 🙂-
MrBrian
AskWoody_MVP
anonymous
Guest-
MrBrian
AskWoody_MVP
MrBrian
AskWoody_MVP-
anonymous
Guest
MrBrian
AskWoody_MVPFrom CVE-2017-0199 | Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API:
“[Version] 1.1 21-Apr-2017 Corrected severity entries for Microsoft Office products. This is an informational change only. Customers who have successfully installed the update do not need to take any further action.”
MrBrian
AskWoody_MVPFrom Hackers exploited Word flaw for months while Microsoft investigated:
“To understand why it is so difficult to defend computers from even moderately capable hackers, consider the case of the security flaw officially known as CVE-2017-0199.
The bug was unusually dangerous but of a common genre: it was in Microsoft software, could allow a hacker to seize control of a personal computer with little trace, and was fixed April 11 in Microsoft’s regular monthly security update.
But it had traveled a rocky, nine-month journey from discovery to resolution, which cyber security experts say is an unusually long time. “
MrBrian
AskWoody_MVPFrom An Inside Look at CVE-2017-0199 – HTA and Scriptlet File Handler Vulnerability (June 4, 2017):
“FortiGuard Labs recently came across a new strain of samples exploiting the CVE-2017-0199 vulnerability. This vulnerability was fixed by Microsoft and the patch was released in April 2017. Due to its simplicity, it can be easily exploited by attackers. It has also been found in-the-wild by other vendors. We have also blogged about some samples recently found in spear phishing attack.”
MrBrian
AskWoody_MVPViewing 27 reply threads -

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Search Newsletters
Search Forums
View the Forum
Search for Topics
Recent Topics
-
Linux Mint 21.2 Cinnamon (Edge)
by
Alex5723
2 hours, 42 minutes ago -
What happened to Web Select?
by
John Harley
12 hours, 23 minutes ago -
StatCounter : Windows 11’s market share is unchanged and not going anywhere.
by
Alex5723
5 hours, 53 minutes ago -
How to view 1990’s files with graphics content. Lotus 123 .wk1/.FMT Harvard.DWG
by
Theodor Arrenbrecht
1 hour, 56 minutes ago -
macOS Sonoma can be installed on 83 unsupported Macs
by
Alex5723
14 hours, 12 minutes ago -
Unable to create home network connection between Win 7 and Win 10 machines
by
maddaze
2 hours, 30 minutes ago -
Entering pin to start windows 11 22h2
by
mike4381
16 hours, 37 minutes ago -
Version 1809/Server 2019 kb5030214 problem question?
by
69800
15 hours, 31 minutes ago -
Ghacks Author Filter
by
rdleib
14 hours, 52 minutes ago -
ZenRAT Malware Targets Windows Users Via Fake Bitwarden Password Manager
by
Alex5723
23 hours, 31 minutes ago -
Waterfox G just gets better and better
by
Ascaris
2 hours, 1 minute ago -
Microsoft Backup triggers help-desk calls and confusion
by
Susan Bradley
35 minutes ago -
How Amazon ejected AI-written e-books from its bestseller lists
by
B. Livingston
10 hours, 40 minutes ago -
Ten stunning features in Microsoft Word
by
Peter Deegan
1 hour, 31 minutes ago -
Thunderbolt
by
Ed Tittel
16 hours, 25 minutes ago -
VeraCrypt updates
by
Alex5723
16 hours, 16 minutes ago -
A.I. and AskWoody
by
WCHS
1 day, 3 hours ago -
Where is Windows Update?
by
bsfinkel
2 hours, 16 minutes ago -
mailwasher
by
jferr333
1 day, 6 hours ago -
Windows Photos
by
Linda2019
1 day, 7 hours ago -
OT QuickBooks payroll module not letting you efile 941
by
Susan Bradley
1 day, 8 hours ago -
MSA logins have been retired from DPC May 1st
by
Cormy1
1 day, 8 hours ago -
Administrator Lock
by
John Monge
1 day, 12 hours ago -
Skype cancels loopback audio
by
Steven
1 day, 16 hours ago -
Python re-installation
by
WSepzcaw
23 hours, 4 minutes ago -
Finally updated to Thunderbird 115
by
EricB
1 hour, 35 minutes ago -
Hard drive boot up problem in Windows AND Linux
by
rkacmar
2 hours, 20 minutes ago -
WSUS fails to download monthly Cumulative Update for Windows 11 Version 22H2
by
Bruce23
1 day, 7 hours ago -
Excel tone
by
WSmmi16
10 hours, 28 minutes ago -
Wait for the bugs to be worked out
by
Susan Bradley
1 day, 18 hours ago
Recent blog posts
- Microsoft Backup triggers help-desk calls and confusion
- How Amazon ejected AI-written e-books from its bestseller lists
- Ten stunning features in Microsoft Word
- Thunderbolt
- Wait for the bugs to be worked out
- MS-DEFCON 4: Is Windows 11 really a disaster?
- Windows 11, Surface, and Windows Copilot
- Why File Explorer keeps me on Windows
Key Links
S | M | T | W | T | F | S |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | 26 | 27 | 28 |
29 | 30 | 31 |
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.