Fresh Microsoft Office franken-exploit flops – and you should have patched by now anyway

Exploit combo fails to dodge Word warning prompts

Office war photo via Shutterstock

Updated A booby-trapped .RTF file is doing the rounds that combines two publicly available Microsoft Office exploits.

Opening the document in a vulnerable installation of Office is supposed to lead to arbitrary execution of any malicious code within the file.

Cisco's security outfit Talos believes "the attackers used the combination to avoid Word displaying [an on-screen] prompt which may raise suspicions for the target end user. Another possibility is that they attempted to use this combination in order to avoid behavioral detection systems."

In other words, crooks mashed two exploits together to stop a dialog box appearing mid-attack, which may tip off savvy users, and to confuse and evade antivirus packages. The combo-exploit leverages CVE-2017-0199 and CVE-2012-0158, patched by Microsoft in April.

The code doesn't work properly, though, indicating "poor testing or quality control procedures", Talos said. However, this does show a level of experimentation by crims seeking to use the Ole2Link bug CVE-2017-0199 as a means to launch additional weaponised files and avoid user prompts.

"This attack may have been an experiment that didn't quite work out, or it may be indication of future attacks yet to materialise," Cisco Talos warned on Monday.

A Microsoft spokesperson told us: "We released a security update in April. Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.”

So, make sure you're patched. ®


Biting the hand that feeds IT © 1998–2017