The Word exposed 0day vulnerabilities: no need to enable the macros, open the document it automatically install a malicious program-vulnerability warning-the black bar safety net

ID MYHACK58:62201785131
Type myhack58
Reporter 佚名
Modified 2017-04-11T00:00:00


! In fact, the use of Word macros as the distribution of malicious programs is the way today's conventional via, so many people choose to disable macros, but if you say disable the macros are useless, such a malicious Word document danger is quite different. Recently, McAfee and FireEye security researchers have discovered that someone on the network using the Microsoft Office 0-day vulnerability quietly in others on the computer to execute code and install malicious software, without the need to use a macro, this vulnerability has yet to be fixed. Vulnerability overview Researchers said they in an e-mail found a malicious Word document attachment, the file contains OLE2link object. Once you open the file, the file is in use the code will be executed, and then connected to a station by the attacker the control of the remote server, and downloaded from the server masquerading as the RFT document HTML application-HTA on. The HTA file is automatically executed, the attacker can achieve the target device above the arbitrary code execution, and then start from the”other well-known malware family“download additional payload, which payload infected the target PC, and shut down the malicious Word file. All Windows and Office versions are affected According to researchers said, this 0-day attack is able to bypass the vast majority of Microsoft's exploit mitigation mechanisms, with the conventional Word exploit is different, it does not require the user to open the Word macro. The following figure is caught in the AC Pack: ! . hta disguised as ordinary RTF file to avoid security product, but from the figure in the file against the rear portion can still find the malicious VB script ! McAfee indicates that the vulnerability affects all Windows operating systems on all versions of Office, even if it is considered to be the most secure Microsoftoperating systemof the Windows 10 have not been spared. In addition, this exploit in prior to the termination will display a decoy Word document so that the victims see, in order to hide attack signs. McAfee Security researcher, in Friday's Blog mentioned: Loopholes closed a malicious Word document will also be a forged Word document presented to the victim, in fact, secretly already installed the malicious software. This 0-day success of the fundamental reason is the Windows object linking and embedding OLE, that is Office important characteristics. It is worth noting that Microsoft's next security patch update will be on Tuesday released, however Microsoft has a probability cannot be in the Tuesday prior to the fix this patch. The patch did not come, what should I do? Current FireEye and McAfee are also not published such attacks and the related vulnerability of specific details is expected soon to be published. Due to this attack in latest Windows System and Office software on the work, we strongly recommend the following measures: Do not open or download mailbox any suspicious Word documents, even if you know each other is who. Office Protected View protected trying to feature to view such a malicious document would allow the attack to failure, and therefore we recommend that Windows users view an Office document when open this feature. Ensure that the system and the antivirus software is the latest version Regularly back up your files to an external hard drive Disable Word macro for this attack terms is invalid, but the user should still be disable macros against other types of attacks Keep on phishing emails, spam alert, click on can file when you want to think twice.