Microsoft Patches Critical Zero-Day Exploit in Office Suite

This Patch Tuesday, Microsoft issues a fix for a zero-day vulnerability in the Office productivity suite that attackers were actively exploiting.

As promised, Microsoft released a patch today that fixes a zero-day vulnerability in Office that cyber-attackers were already exploiting.

Word of the vulnerability spread just prior to the weekend when McAfee security researchers published an advisory on the cyber-security company's blog. The vulnerability was traced to the Windows Object Linking and Embedding (OLE) component present in Office software that enables users to link to content in their documents.

"The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file. Because .hta is executable, the attacker gains full code execution on the victim's machine," stated McAfee.

This tactic allows the attack to appear as a logical flaw, enabling it to slip past Microsoft's memory-based mitigation technologies, the post explained. The zero-day attack involved RTF (Rich Text Format) files with a .doc file extension that effectively appear as Word files to Office users.

When contacted by eWEEK's Sean Michael Kerner, a Microsoft spokesperson said a patch was set to arrive on April 11. "Meanwhile, we encourage customers to practice safe computing habits online, including exercising caution before opening unknown files and not downloading content from untrusted sources to avoid this type of issue," the spokesperson advised.

Today, Microsoft confirmed to eWEEK that it had patched the flaw. "This was addressed in the April security update release today, April 11, 2017. Customers who applied the update, or have automatic updates enabled, are already protected," said a Microsoft spokesperson.

Details on the patch are available in this security advisory (CVE-2017-0199) from Microsoft, which also confirms McAfee's claim that an exploit is in the wild. The vulnerability carries a Critical severity rating, Microsoft's highest, for several versions of Office going back to Office 2007 SP3.

Microsoft's Office productivity software suite is a popular target for cyber-attackers, due in large part to its ubiquity in the corporate world.

Business users regularly trade Office files via email, a fact that cyber-attackers rely on for their spam and phishing campaigns. "As Microsoft Office is an extensively used productivity suite on Windows desktop computers, this actively attacked vulnerability poses a big concern," said Amol Sarwate, director of Engineering at Qualys, in an email sent to eWEEK.

"Exploitation of this vulnerability requires that a user open or preview a specially crafted file with an affected version of Office or WordPad. [Attackers] could accomplish this by sending a specially crafted file to the user and then convincing the user to open the file," continued Sarwate. "We recommend administrators patch this as soon as possible."

Sarwate also suggested that organizations enable the Protected View feature in Office, a read-only view, of sorts, that disables functionally that malware typically hooks into during an attack. Despite enabling Protected view, users should remain vigilant.

"Even when Protected View is enabled users should take extreme precaution while opening files obtained from un-trusted sources or while opening unexpected e-mail even from trusted sources as they could be spoofed," Sarwate added.

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the network of...