Booby-trapped Word documents in the wild exploit critical Microsoft 0-day

Update, 4/10/2017, 9:20 AM California time: Security experts are reporting that Microsoft will patch the vulnerability on Tuesday. In the meantime, users can block
code-execution exploits by adding the following to their Windows registry: Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles to 2 and OpenInProtectedView to 0. What follows is the report as it was published on Saturday.

There's a new zero-day attack in the wild that's surreptitiously installing malware on fully patched computers. It does so by exploiting a vulnerability in most or all versions of Microsoft Word.

The attack starts with an e-mail that attaches a malicious Word document, according to a blog post published Saturday by researchers from security firm FireEye. Once opened, exploit code concealed inside the document connects to an attacker-controlled server. It downloads a malicious HTML application file that's disguised to look like a document created in Microsoft's Rich Text Format. Behind the scenes, the .hta file downloads additional payloads from "different well-known malware families."

The attack is notable for several reasons. First, it bypasses most exploit mitigations: this capability allows it to work even against Windows 10, which security experts widely agree is Microsoft's most secure operating system to date. Second, unlike the vast majority of the Word exploits seen in the wild over the past few years, this new attack doesn't require targets to enable macros. Last, before terminating, the exploit opens a decoy Word document in an attempt to hide any sign of the attack that just happened.

The zero-day attacks were first reported Friday evening by researchers from security firm McAfee. In a blog post, they wrote:

The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file. Because .hta is executable, the attacker gains full code execution on the victim's machine. Thus, this is a logical bug [that] gives the attackers the power to bypass any memory-based mitigations developed by Microsoft. The following is a part of the communications we captured:

The successful exploit closes the bait Word document and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim's system.

The root cause of the zeroday vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office. (Check our Black Hat USA 2015 presentation in which we examine the attack surface of this feature.)

FireEye researchers said they have been communicating with Microsoft about the vulnerability for several weeks and had agreed not to publicly disclose it pending the release of a patch. FireEye later decided to publish Saturday's blog post after McAfee disclosed vulnerability details. McAfee, meanwhile, said the earliest attack its researchers are aware of dates back to January. Microsoft's next scheduled release of security updates is this Tuesday.

Zero-day attacks are typically served only on select individuals, such as those who work for a government contractor, a government agency, or a similar organization that's attractive to nation-sponsored hackers. Still, it's not uncommon for such attacks to be visited on larger populations once the underlying zero-day vulnerability becomes public knowledge.

People should be highly suspicious of any Word document that arrives in an e-mail, even if the sender is well known. The attacks observed by McAfee are unable to work when a booby-trapped document is viewed in an Office feature known as Protected View. Those who choose to open an attached Word document should exercise extreme caution before disabling Protected View. There's no word yet if use of Microsoft's Enhanced Mitigation Experience Toolkit prevents the exploit from working.