My Viral Box Logo
Ad image
  • Funny Stories
  • Weird Stories
  • Scary Stories
  • Ghost Stories
  • Funny Riddles
  • Short Jokes
Reading: A critical 0day vulnerability was detected in all versions of MS Word / Geektimes
Share
MYVIRALBOX MYVIRALBOX
Font ResizerAa
  • Funny Stories
  • Weird Stories
  • Funny Riddles
  • Ghost Stories
  • Scary Stories
Search
  • Funny Stories
  • Weird Stories
  • Scary Stories
  • Ghost Stories
  • Funny Riddles
  • Short Jokes
Have an existing account? Sign In
Follow US
© Foxiz News Network. Ruby Design Company. All Rights Reserved.
MYVIRALBOX > Funny Stories > A critical 0day vulnerability was detected in all versions of MS Word / Geektimes
Funny StoriesWeird Stories

A critical 0day vulnerability was detected in all versions of MS Word / Geektimes

MVB Staff
Last updated: April 25, 2024 3:36 pm
MVB Staff
Published: April 11, 2017
Share
6 Min Read
SHARE

MS Word

McAfee and FireEye reported the detection of real attacks on Microsoft Word users through a new 0day vulnerability, for which a patch has not yet been released. Vulnerability allows you to quietly execute arbitrary code on your victim’s computer and install malicious software. The most unpleasant, all versions of MS Word are affected on all versions of Windows, including the latest version of Office 2016 under Windows 10, even with macros turned off.

Microsoft is notified of the vulnerability and must prepare a patch for the security update Patch Tuesday, which Will be held tomorrow, 11 April. However, as history shows with a similar 0day vulnerability CVE-2014-4114 / 6352 (aka Sandworm), Microsoft does not always manage to close 0day from the first patch.

Researchers at McAfee write that they found the first attacks using this 0day in January of this year. Apparently, they only recently received samples of malicious code, so they were able to analyze in detail the infection mechanism.

During the attack, Word files are used (specifically, RTF documents with .doc extension).

If the protected mode of Office Protected View is disabled in Microsoft Word, then the exploit is automatically launched when the document is opened. After that, the winword.exe process makes an HTTP request to the remote server, from where it downloads an HTA file (an HTML application) disguised as an RTF document. The HTA file automatically launches and executes a malicious script. This script closes the original infected Word file, and instead shows the user a dummy text document. The original winword.exe process closes to hide the user from the window that displays OLE2Link. At the same time, the script downloads additional malicious code from the remote server for installation on the computer.

Using the .hta version, McAfee researchers write, the authors of the exploit effectively bypass all the memory protection measures implemented by Microsoft, as well as antivirus protection and the majority Other protection methods.

Here is a fragment of communication with the server:

HTA masking in the form of an RTF document is performed to bypass antivirus programs, if installed on the victim’s computer. At the bottom of this document, malicious Visual Basic scripts are written that do all the work.

McAfee experts write that this 0day vulnerability is related to the function of Object Linking and Embedding OLE) – an important part of the functionality of Office, which actually allows you to embed some documents inside others. This function has been used repeatedly for various attacks. For example, back in 2015, the same McAfee specialists prepared a presentation for the Black Hat USA hacker conference in which they talked about possible vectors of attack through OLE.

FireEye employees claim that they discovered this vulnerability before McAfee and were first to be sent The message in Microsoft, but remained silent until the release of the patch. After the publication of the McAfee blog post, there is no sense to keep silent, so they also reported on what they could understand after analyzing this exploit.

In FireEye products, malicious documents are defined as Malware.Binary.Rtf.

Security specialist Mikko Hypponenov learned that Microsoft will accurately release a patch for this vulnerability in the nearest Patch Tuesday, that is, tomorrow, April 11, 2017.

Before installing the patch, you can lock RTF in the registry in such a way: set the value in the registry to
Software Microsoft Office 15.0 Word Security FileBlock RtfFiles to 2, and OpenInProtectedView To 0. In this case, when you try to open a file in RTF format, the following message will appear:

By the way, this is a recommendation from Ryan Hanson, who claims that it was he Found this 0day in July, and reported it in October 2016. And now it was disclosed by strangers. If he is telling the truth, then Microsoft really does cover critical vulnerabilities for a very long time.

This is the MS Word 0day I discovered in July, and discovers in October, has been publicly disclosed Someone else.

– Ryan Hanson (@ryHanson) April 9, 2017

But the tests showed that when the protected Office Protected View mode is opened, the exploit can not run for execution, so blocking RTF is an extreme measure.

In any case, all users of Microsoft Office in the near future are highly recommended:

  • Do not open any Office documents obtained from unreliable sources.
  • Enable Office Protected View protection.

Antivirus companies do not say who was the victim of the attacks. But from past experience it is known that such 0day are often used in targeted attacks on the state order. It’s strange that Microsoft has been working on the patch for so long.

MVB Staff
MVB Staff

You Might Also Like

The bunker of the day of judgment in Norway will now store not only the seeds, but also the data
Darwin was lazy, and you would not be in the way too. / Geektimes
Job Sales: Employees in China list Boss and Colleagues for Sale Online
Chrome 58 patches protection against homographic attacks / Geektimes
11 Funny Animal Memes That’ll Crack You Up (Even on a Monday)
Leave a Comment Leave a Comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Search Posts

‎‎‎‎‎Explore Our Categories

  • Funny Riddles9
  • Funny Stories531
  • Ghost Stories3
  • Scary Stories25
  • Short Jokes1
  • Weird Stories483
Ad image

Latest added

Bizarre Foods with Andrew Zimmern
Weird Stories

10 Bizarre Foods with Andrew Zimmern You Have to See to Believe

July 28, 2025
luck Bollywood movie
Funny Stories

9 Bollywood Comedies About Luck

July 26, 2025
funny animal memes
Funny Stories

11 Funny Animal Memes That’ll Crack You Up (Even on a Monday)

July 23, 2025
scary pictures
Scary Stories

10 Bone-Chilling Photos You’ll Regret Looking at Before Bed

July 14, 2025
weird facts
Weird Stories

10 Weird Facts You Won’t Believe Are True

July 8, 2025
funny scary movies
Funny Stories

11 Funny Scary Movies That Blend Horror and Humor Perfectly

June 30, 2025

Explore More

  • Privacy Policy
  • Submit Your Silly Stories

Follow US on Social Media

Facebook Instagram Pinterest Envelope-open

My Viral Box Logo

About My Viral Box

MyViralBox brings together all the weird, wacky, scary and funny news from around the web in one place to brighten your day. You might scratch your head; you might laugh out loud; you might glance over your shoulder; but you’re gonna have fun whenever you drop by. Funny news, weird news, chill-inducing spookiness, jokes and riddles of all kinds, plus whatever else we come across that we think just has to go viral; you’ll find it all right here!

© My Viral Box. All Rights Reserved.

Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?