Zero-Day Flaw in Microsoft Word Can Be Used to Hijack Any Windows System

Place you can talk about other things not related to autopatcher.
Post Reply
User avatar
Whatacrock
Release Maintainer
Release Maintainer
Posts: 1967
Joined: Mon Oct 28, 2013 10:47 am
Location: Australia
Contact:

Zero-Day Flaw in Microsoft Word Can Be Used to Hijack Any Windows System

Post by Whatacrock »

Zero-Day Flaw in Microsoft Word Can Be Used to Hijack Any Windows System

Security researchers at FireEye revealed a zero-day vulnerability in Microsoft Word that can be used to deploy malware on unpatched systems with just a malicious RTF document.

The worst thing in this new disclosure is that the security flaw is not yet patched, and although Microsoft has been working with FireEye to develop a fix, the company decided to go public with these details because of the growing number of attacks happening lately and after another vendor disclosed them publicly too.

Specifically, an attacker who wants to take advantage of this security vulnerability needs to trick the victim into opening a malicious RTF document on their computer, and to do this, they send the file via email. Once launched, this document executes a Visual Basic script that connects to a remote server to download additional payloads.
"Patch possibly coming tomorrow"

A successful exploit can bypass most mitigations, FireEye warns, and this is why it’s critical for users to deploy the patch as soon as Microsoft releases it. FireEye has more information on how an attack works on unpatched Windows computers:

“The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file.

“The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.”

Microsoft is expected to provide a fix tomorrow as part of the Patch Tuesday rollout, and users are recommended to avoid opening RTF documents coming from unknown sources. These documents are typically spreading via email, so just mark as spam any suspicious messages to remain protected until a patch lands.

http://news.softpedia.com/news/zero-day ... 4726.shtml
"Now if you Sons of B*@ches got anything else to say, NOW'S THE F@#%ING TIME!!"
User avatar
Whatacrock
Release Maintainer
Release Maintainer
Posts: 1967
Joined: Mon Oct 28, 2013 10:47 am
Location: Australia
Contact:

Re: Zero-Day Flaw in Microsoft Word Can Be Used to Hijack Any Windows System

Post by Whatacrock »

Microsoft to Release Patch Fixing Zero-Day Office Vulnerability Today

Microsoft has confirmed that this month’s Patch Tuesday would bring an update aimed at fixing a vulnerability in Word that exposes users to malware infections.

Disclosed by security company Fire Eye, the Microsoft Word security flaw makes it possible for hackers to hijack Windows computers with the help of a malicious RTF document that hides code which then triggers malware downloads on target systems.

Microsoft has confirmed in a statement that it plans to address the vulnerability as part of today’s Patch Tuesday rollout, saying that users are recommended to avoid opening documents coming from unknown sources until the fix is deployed.

“We plan to address this through an update on Tuesday April 11, and customers who have updates enabled will be protected automatically,” a company spokesperson said.

“Meanwhile we encourage customers to practice safe computing habits online, including exercising caution before opening unknown files and not downloading content from untrusted sources to avoid this type of issue.”
"Bypassing all mitigation systems"

Security company McAfee has also confirmed the security vulnerability and said that attackers are able to bypass most mitigation features in Windows to compromise a target computer.

“The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file. Because .hta is executable, the attacker gains full code execution on the victim’s machine. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft,” McAfee said.

The vulnerability affects all Windows computers, including the latest Windows 10, as well as all Office versions, so the only way to remain secure without a patch is to avoid opening documents coming from untrusted sources.

The Patch Tuesday rollout begins later today, so make sure that you deploy this month’s fixes as soon as possible, especially if you’re working with Word documents and the RTF format in particular.

http://news.softpedia.com/news/microsof ... 4770.shtml
"Now if you Sons of B*@ches got anything else to say, NOW'S THE F@#%ING TIME!!"
User avatar
Whatacrock
Release Maintainer
Release Maintainer
Posts: 1967
Joined: Mon Oct 28, 2013 10:47 am
Location: Australia
Contact:

Re: Zero-Day Flaw in Microsoft Word Can Be Used to Hijack Any Windows System

Post by Whatacrock »

Microsoft Releases Patch for Zero-Day Flaw in Office and WordPad

As promised, Microsoft used this month’s Patch Tuesday cycle to publish a patch for a zero-day vulnerability in the Office productivity suite and WordPad that would have allowed attackers to infect systems with malware using a compromised RTF document.

Details of this security vulnerability were published online earlier this week, and Microsoft acknowledged the problem, promising a fix on Patch Tuesday and recommending users to avoid opening RTF documents coming from untrusted sources until a patch is deployed.

Today, the company rolled out the fix and said that RTF documents could open the door for full control on a vulnerable system, with attackers being able to do virtually anything on a PC once infected.

“A remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft says.
"Patch as soon as possible"

The company goes on to explain how the patch fixes the vulnerability, adding that in most of the cases, the RTF document is delivered via email to potential targets.

“The update addresses the vulnerability by correcting the way that Microsoft Office and WordPad parses specially crafted files, and by enabling API functionality in Windows that Microsoft Office and WordPad will leverage to resolve the identified issue,” the company adds.

It goes without saying that users must deploy this new patch as soon as possible, especially given the fact that it’s a zero-day and details have already been published online.

In the case of systems where immediate patching is not yet possible, users are recommended to avoid opening RTF documents coming from untrusted sources or to switch to other applications that can handle this format and are not affected by the vulnerability.

http://news.softpedia.com/news/microsof ... 4809.shtml
"Now if you Sons of B*@ches got anything else to say, NOW'S THE F@#%ING TIME!!"
Post Reply