An exploit for an unpatched Windows OLE vulnerability has been observed in the wild. The user opens a document containing the embedded exploit, which executes a Visual Basic script. The vulnerability was initially reported by Ryan Hanson . As per McAfee the earliest attack were observed in late January 2017. The exploit works against all Microsoft Office versions and Windows 10. The samples obtained are word files.
Exploitation:
A target user receives a Microsoft Word document embedded with an OLE2link object , when the user opens the file, winword.exe connects to a remote server and downloads a .hta file representing itself as an RTF document. Upon execution the .hta file closes the initial Word document and displays a fake file while it downloads additional payloads in the background. The exploit works against all version of Microsoft Office including Office 2016 on Windows 10 and, bypasses the Microsoft memory protection features.
Mitigation:
Open files in Protected View to restrict them to read-only mode with minimal editing features. As a rule of thumb avoid opening files from untrusted sources. It is unclear if Windows Defender can detect this attack. We request our customers to scan their network with QID-110297,91355 to detect vulnerable targets. Please follow up on ThreatProtect for more coverage on this vulnerability.
Updates:
The exploit targets CVE-2017-0199 (Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API). The issue has been fixed by Microsoft April update, KB4014793, KB4015549, KB4015551, KB3178710, KB3141529, KB3178703, KB3141538.
References:
Critical Office Zero-Day Attacks Detected in the Wild
Acknowledgement of Attacks Leveraging Microsoft Zero-Day
HTML Applications
CVE-2017-0199 | Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API