Zero-Day Microsoft Office threat – attacker can gain control of victims machine.
Below is a summarized version of the official posting by McAfee seen here.
‘After quick but in-depth research, this morning we have confirmed these samples are exploiting a vulnerability in Microsoft Windows and Office that is not yet patched.
The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10.
The root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding, an important feature of Office.
The exploit connects to a remote server controlled by the attacker, downloads a file that contains HTML application content, and executes it as an .hta file. Due to .hta being executable, the attacker gains full code execution on the victim’s machine.
We strongly suggest Office users take the following actions to protect or mitigate against this zero-day attack before Microsoft issues an official patch.
We notified the Microsoft Security Response Center as soon as we found the suspicious samples, and we will continue to work with them to protect Office users.
Do not open any Office files obtained from untrusted locations.
According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.’
How can we as system administrators stop users and ourselves from falling prey to this threat?
At the time of writing this post – Microsoft have yet to roll-out a fix. However security experts have motioned that they plan to patch the vulnerability this coming Tuesday.
In the meantime – Adding the following to the Windows Registry:
Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles to 2 and OpenInProtectedView to 0.
seems to block documents not in ‘Protected Mode’ from being opened.