On April 6, 2017, researchers from McAfee and FireEye announced that they have found multiple cases of email-based attacks, which are being used to compromise fully patched and updated Windows operating systems.

The threat vector is an unpatched zero-day bug currently found in all versions of Microsoft Office running on Windows operating systems. The root cause lies in an Office feature called Object Linking and Embedding or OLE for short. OLE lets applications embed and link to documents and objects.

The attack has been exploited with the use of email. An actor will email a Word document with an embedded OLE2link object to a victim. The victim opens the word document. Then the file winword.exe issues a HTTP request to the attacker’s remote server, which retreives a malicious .hta file that appears as a fake RTF file. Finally, the .hta application executes the malicious script (FireEye). FireEye has stated, “the vunerability is bypassing most mitigations, FireEye email and network products detect the malicious documents” (FireEye).

FireEye and McAfee have been in close contact with Microsoft about the vunerability. It has been said that Microsoft should have a patch out within the next few days. Until the patch is released, we suggest that users open Office documents of any kind using the “protected view” feature. This view combats the threat vector. Furthermore, we suggest that individuals take extremely precaution when downloading document files until Microsoft is able to release a patch.


Guide to Enabling Protected View

Posted by Shawn Thornton

My name is Shawn and my professional background is in Project Management and Information Technology. I received my Bachelor of Science in Management and Marketing from the Merrick School of Business at the University of Baltimore. I am currently attending school to prepare me for a Master’s program in Cyber Security. I enjoy anything tech.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s