The internet is buzzing with yet another 0 day exploit for Microsoft Word. Yes this one is serious and can infect you with no action on your part., if you open one of these malicious Word Documents. But lets just step back, take a deep breath and in the immortal words of Clive Dunn as Lance Corporal Jack Jones in Dad’s Army ” Don’t Panic”. The sky isn’t falling. The world won’t end on Monday Morning with a mass explosion of malicious word docs being malspammed to every internet user.
Firstly Modern versions of Microsoft Office, that is everything since 2010 have “Protected View” enabled by default. Using ” protected View” stops this exploit dead in its tracks.
We have been telling everybody how to protect against office exploits and vulnerabilities for ages. https://myonlinesecurity.co.uk/malformed-infected-word-docs-embedded-macro-viruses/
This exploit is worse than other known exploits because it doesn’t require any extra user interaction. All you have to do is open the infected word doc, not click anything inside it. But I repeat it cannot infect you if you have Protected view enabled and do not disable protect view or enable editing.
Typical examples that Protected view shows are these images. Quite clear and easy to understand. But of course there will always be the “victim” who ignores it, like the “Caution Wet Paint” sign. ” I wonder what will happen if I touch the wet paint. Oh look, I have got paint on my hands. The same here. Ignore the warning at your peril. Stay in protected view and this & all other known exploits cannot harm you.
This exploit was apparently discovered by Fireye who have been discussing the defences / patches to this with Microsoft for several weeks. One report suggests since late January. If the risk was seen to be so widespread and dangerous, then it is unlikely that Microsoft would have left it for so long.
Mcafee have published a blog post about this, having independently discovered the same exploit in recent malicious word docs submitted to them. They say that they have been seeing these since January.
It is very simple to protect yourselves against being infected by these:
Follow McAfee’s recommendation:
- Do not open any Office files obtained from untrusted locations.
- According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.
I am sure that Microsoft will be issuing a patch for this at the earliest opportunity. Security patches for April are due this Tuesday 11th April 2017. I would not be surprised to see this being fixed in this month’s Office updates.