Security News Researchers Warn of New Microsoft Zero-Day

[frogboy]

Security experts are warning of a critical zero-day threat that has been targeting Microsoft Word users since late January.

The attack allows hackers to remotely execute code on a targeted computer by tricking the user into opening a Word doc containing an embedded exploit.

The Windows Object Linking and Embedding (OLE) is primarily targeted with this exploit, which works on all versions of Office up to Office 2016 running on Windows 10.

FireEye, which has been working with Microsoft on the issue “for several weeks”, explained that a hacker would first email a Word document booby-trapped with a malicious embedded OLE2link object.

It continued:

“When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.”

Read More. Researchers Warn of New Microsoft Zero-Day

 

[Deleted member 178]

Happy clickers lose again.

 

[Solarquest]

Attacks Detected with New Microsoft Office Zero-Day

3 interesting points:
...
While the attack uses Word documents, OLE2link objects can also be embedded in other Office suite applications, such as Excel and PowerPoint.
...
The attack routine does not rely on enabling macros, so if you don't see a warning for macro-laced documents, that doesn't mean the document is safe.

.....
If the victim uses Office Protected View when opening files, the exploit is disabled and won't execute. If the user has disabled Protected View, the exploit executes automatically, making an HTTP request to the attacker's server, from where it downloads an HTA (HTML application) file, disguised as an RTF.

What is Protected View? - Office Support

 

[Solarquest]

Microsoft Office Zero-Day Used to Push Dridex Banking Trojan

The operators of the Dridex botnet are using the recently disclosed Microsoft Office zero-day to spread a version of their malware, the infamous Dridex banking trojan.

It is unclear at this time if the Dridex gang was the group that discovered the zero-day, or if they just figured out a way to exploit it after McAfee and FireEye disclosed public details over the weekend.

Dridex campaign targeted Australian users
According to cyber-security firm Proofpoint, who discovered the Dridex spam campaign delivering Word documents weaponized with this zero-day, the spam wave consisting of millions of emails targeted mainly Australia.

The Dridex malware version delivered through these emails, which mimicked document scans, contained configurations to target a slew of Australian banks via the installation of Dridex botnet ID 7500, one of the many Dridex variants active today. Proofpoint reported activity from the Dridex botnet ID 7500 last week, yet a spokesperson has not confirmed if the group was using the zero-day at that time.

This campaign is the first time when we see the Dridex group using an unpatched zero-day for distributing their malware. Usually, the group relied on Word files laced with macro scripts.

Microsoft to patch zero-day today
.....

 

[Entreri]

No user interaction zero days are beasts.

 

[Dean Winchestere]

Appguard would have prevented this zero day. :/

 

[Solarquest]

Appguard would have prevented this zero day. :/

Can you test it before Microsoft patches it?
Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day | Proofpoint
Link, Sha etc are all in the link above

 

[shmu26]

Just disable MSHTA, you don't need it anyway.

 

[Peter2150]

Can you test it before Microsoft patches it?
Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day | Proofpoint
Link, Sha etc are all in the link above

Hi Solarquest

I thrown so much stuff at Appguard it's boring. Since winword is guarded anything it spawns is guarded. Not going near anything system wise.

 

[WinXPert]

Ditch MS Office, use alternatives

 

[509322]

Appguard would have prevented this zero day. :/

AppGuard won't prevent the exploit, but it will block the downloaded *.hta from launching.

 

[509322]

Ditch MS Office, use alternatives

As simple as that... unless you absolutely have no other choice or option except to use Microsoft Office.

 

[Peter2150]

Ditch MS Office, use alternatives

I love it when people say that. Name something that will do the same things I have to do with office and I'd consider it.

 

[WinXPert]

As simple as that... unless you absolutely have no other choice or option except to use Microsoft Office.

I love it when people say that. Name something that will do the same things I have to do with office and I'd consider it.

WPS Office is a good alternative. I haven't used the latest Libre Office version so idk how good it is now. And there is Ability Office too which I got from Sharewareonsale.

 

[Peter2150]

WPS Office is a good alternative. I haven't used the latest Libre Office version so idk how good it is now. And there is Ability Office too which I got from ******.

Unfortunately none of them come even close. At least Ability has an access like database. But none of them have anything like Outlook. And while a pain it is one of my bread and butter applications.

 

[jamescv7]

Microsoft should integrate proper Smartscreen filtering component on Windows apps including Office, besides to protected mode feature.

Remember that a user will only stop to proceed on next operation when a notification is shown which considered malicious.

 

[shmu26]

Unfortunately none of them come even close. At least Ability has an access like database. But none of them have anything like Outlook. And while a pain it is one of my bread and butter applications.

I agree 100%. If you use an office suite seriously, and take advantage of its features, then MS Office really has no competitors.
If you just want to type a letter, so use google docs.

 

[Winter Soldier]

So it seems the execution of arbitrary code on the user's computer does not require the activation of the macro (exploited by the majority of the attacks detected in the past).