FireEye Labs has warned of a zero-day vulnerability affecting Microsoft Word. The warning came in a blog by Threat Researcher, Genwei Jiang. In the blog, Jiang says FireEye alerted Microsoft to the vulnerability a few weeks ago and that Microsoft was already working towards a fix. That fix will be available this week so why make public the warning before the fix is shipped?
Normally this happens when a vendor is dragging their feet. In this case it is because another security company decided to release details of the vulnerability early. FireEye users will see alerts to this attack under the heading Malware.Binary.Rtf
What is the risk from Microsoft Word?
Unlike most Microsoft Word attacks this one does not rely on users enabling macros. Instead, the document is sent as an RTF (Rich Text Format) rather than a Doc for Docx file. When the document is opened, an embedded link connects to a remote web server and downloads a malicious file. That file has the extension .hta which is then executed by the Microsoft HTA application.
The malicious code then carries out a number of actions. It downloads additional files that infect the users machine. While doing this it loads a fake document to distract the user from the activity taking place in the background. Neither FireEye nor Microsoft have disclosed what the downloaded malware does.
At first glance this seems like just another attack that can be quickly patched and resolved. However, Paul Farrington, Manager, EMEA Solution Architects, Veracode, a company recently acquired by CA says it is much more serious than that. In a statement emailed to the press he says: “Clearly the fact that the RTF file is able download the malicious HTML that enables local execution of malware points a lack of control in interpreting untrusted input from the outside world.
“The Microsoft engineers will not only need to devise a patch for this vulnerability, but also to remodel their threat assessment of this type of file interaction. They will need to make the opening of untrusted Word documents a viable option once again, else a major benefit of this word processing software would be seriously weakened, i.e. the portability of the document. For now, the advice to only open trusted documents, is both pragmatic and necessary until patches for this zero-day become generally available.”
Conclusion
It is not clear yet where this vulnerability came from or who the hackers behind it are. What is certain is that it will have a high degree of success. Many of the end user security products on the market are currently unable to detect it. Users will again have to be warned over the risks of opening Microsoft Word documents that come from untrusted sources.
