On April 6, 2017, researchers from McAfee and FireEye announced that they have found multiple cases of email-based attacks, which are being used to compromise fully patched and updated Windows operating systems.
The threat vector is an unpatched zero-day bug currently found in all versions of Microsoft Office running on Windows operating systems. The root cause lies in an Office feature called Object Linking and Embedding or OLE for short. OLE lets applications embed and link to documents and objects.
The attack has been exploited with the use of email. An actor will email a Word document with an embedded OLE2link object to a victim. The victim opens the word document. Then the file winword.exe issues a HTTP request to the attacker’s remote server, which retreives a malicious .hta file that appears as a fake RTF file. Finally, the .hta application executes the malicious script (FireEye). FireEye has stated, “the vunerability is bypassing most mitigations, FireEye email and network products detect the malicious documents” (FireEye).
FireEye and McAfee have been in close contact with Microsoft about the vunerability. It has been said that Microsoft should have a patch out within the next few days. Until the patch is released, we suggest that users open Office documents of any kind using the “protected view” feature. This view combats the threat vector. Furthermore, we suggest that individuals take extremely precaution when downloading document files until Microsoft is able to release a patch.