A previously undiscovered exploit in Microsoft Word is being used to spread trojan software called Dridex.
Researchers at McAfee said that, unlike common Word document attacks, this flaw doesn't rely on macros to execute.
He explains that the vulnerability lies in the Windows Object Linking and Embedding (OLE) feature of Office. While FireEye has reportedly been communicating with Microsoft for several weeks about the vulnerability, it was disclosed for the first time publicly on Saturday by McAfee.
Details on the patch are available in this security advisory (CVE-2017-0199) from Microsoft, which also confirms McAfee's claim that an exploit is in the wild.
"Meanwhile we encourage customers to practise safe computing habits online, including exercising caution before opening unknown files and not downloading content from untrusted sources to avoid this type of issue". "The update addresses the vulnerability by correcting the way that Microsoft Office and WordPad parses specially crafted files, and by enabling API functionality in Windows that Microsoft Office and WordPad will leverage to resolve the identified issue".More news: 'Only time will tell' on improving US-China trade
The firm recently detected suspicious Word documents packaged as.rtf files, which when executed, drop the malicious payload. The flaw allowed malicious Word files to contain code that would download malware while popping up a fake document to the user.
A security flaw in Microsoft Office was used in criminal operations as well as espionage operations against Russian-speaking targets since January, according to a report from the security firm FireEye. It means the vulnerability is not known by the public except for attackers who are exploiting it. As noted by our sister site, ZDNet, Microsoft is planning a patch for the vulnerability on Tuesday, April 11.
Disabling Macros does not offer any protection, but yet users are advised to do so in an attempt to protect themselves against other attacks.
Booby-trapped emails created to spread the cyber-pathogen have been sent to hundreds of thousands of recipients across numerous organisations, according to email security firm Proofpoint.
"We suggest everyone ensure that Office Protected View is enabled", said Li. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft. Their blog posting last week says they found the exploit on Thursday and published news of it Friday.