Fresh Microsoft Office franken-exploit flops – and you should have patched by now anyway

Exploit combo fails to dodge Word warning prompts


Updated A booby-trapped .RTF file is doing the rounds that combines two publicly available Microsoft Office exploits.

Opening the document in a vulnerable installation of Office is supposed to lead to arbitrary execution of any malicious code within the file.

Cisco's security outfit Talos believes "the attackers used the combination to avoid Word displaying [an on-screen] prompt which may raise suspicions for the target end user. Another possibility is that they attempted to use this combination in order to avoid behavioral detection systems."

In other words, crooks mashed two exploits together to stop a dialog box appearing mid-attack, which may tip off savvy users, and to confuse and evade antivirus packages. The combo-exploit leverages CVE-2017-0199 and CVE-2012-0158, patched by Microsoft in April.

The code doesn't work properly, though, indicating "poor testing or quality control procedures", Talos said. However, this does show a level of experimentation by crims seeking to use the Ole2Link bug CVE-2017-0199 as a means to launch additional weaponised files and avoid user prompts.

"This attack may have been an experiment that didn't quite work out, or it may be indication of future attacks yet to materialise," Cisco Talos warned on Monday.

A Microsoft spokesperson told us: "We released a security update in April. Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.”

So, make sure you're patched. ®


Keep Reading

Microsoft drives users to the Edge: Internet Explorer to redirect to Chromium-based browser in November

'Hey, you folks heard that there's this virus starting to spread?' – IE, probably

We've come to wish you an unhappy birthday: Microsoft to yank services from Internet Explorer, kill off Legacy Edge by 2021

You need to give that plate back to us after you've finished your cake. Yes the fork too. We'll get your coat

Azure DevOps Services reminds users that, yes, it really is time to pull the plug on Internet Explorer 11

Ignite Sure, it's still wedged in the OS, but maybe you'd prefer something shiny and Chromier?

Microsoft teases Azure Data Explorer connector for picking its Synapse analytics service's brains

What do you mean you're not on board the Big Data bus?

In a world where up is down, it's heartwarming to know Internet Explorer still tops list of web dev pain points

Incompatibilities and inconsistent standards support among browsers ensure an ongoing source of headaches

Disabled by default: Microsoft ups the ante in its war against VBScript on Internet Explorer

Will the last IE 11 user please turn out the lights?

If you never thought you'd hear a Microsoftie tell you to stop using Internet Explorer, lap it up: 'I beg you, let it retire to great bitbucket in the sky'

We say take off and nuke the entire codebase from orbit. It's the only way to be sure

Microsoft decides Internet Explorer 10 has had its fun: Termination set for January 2020

Windows Server 2012 admins should crank it up to 11

Biting the hand that feeds IT © 1998–2020