arstechnica.com Open in urlscan Pro
18.119.39.54  Public Scan

Form analysis
2 forms found in the DOM

GET /search/

<form action="/search/" method="GET" id="search_form">
  <input type="hidden" name="ie" value="UTF-8">
  <input type="text" name="q" id="hdr_search_input" value="" aria-label="Search..." placeholder="Search...">
</form>

POST https://arstechnica.com/civis/ucp.php?mode=login

<form id="login-form" action="https://arstechnica.com/civis/ucp.php?mode=login" method="post">
  <input type="text" name="username" id="username" placeholder="Username or Email" aria-label="Username or Email">
  <input type="password" name="password" id="password" placeholder="Password" aria-label="Password">
  <input type="submit" value="Submit" class="button button-orange button-wide" name="login">
  <label id="remember-label">
    <input type="checkbox" name="autologin" id="autologin"> Stay logged in</label> <span>|</span> <a href="/civis/ucp.php?mode=sendpassword">Having trouble?</a>
  <input type="hidden" name="redirect" value="./ucp.php?mode=login&amp;autoredirect=1&amp;return_to=%2Finformation-technology%2F2017%2F04%2Fbooby-trapped-word-documents-in-the-wild-exploit-critical-microsoft-0day%2F">
  <input type="hidden" name="return_to" value="/information-technology/2017/04/booby-trapped-word-documents-in-the-wild-exploit-critical-microsoft-0day/">
  <input type="hidden" name="from_homepage" value="1">
</form>

Text Content

Skip to main content
 * Biz & IT
 * Tech
 * Science
 * Policy
 * Cars
 * Gaming & Culture
 * Store
 * Forums

Subscribe

Close


NAVIGATE

 * Store
 * Subscribe
 * Videos
 * Features
 * Reviews

 * RSS Feeds
 * Mobile Site

 * About Ars
 * Staff Directory
 * Contact Us

 * Advertise with Ars
 * Reprints


FILTER BY TOPIC

 * Biz & IT
 * Tech
 * Science
 * Policy
 * Cars
 * Gaming & Culture
 * Store
 * Forums


SETTINGS

Front page layout


Grid


List


Site theme

Black on white

White on black

Sign in


COMMENT ACTIVITY

Sign up or login to join the discussions!

Stay logged in | Having trouble?
Sign up to comment and more Sign up

BIZ & IT —


BOOBY-TRAPPED WORD DOCUMENTS IN THE WILD EXPLOIT CRITICAL MICROSOFT 0-DAY


THERE’S CURRENTLY NO PATCH FOR THE BUG, WHICH AFFECTS MOST OR ALL VERSIONS OF
WORD.

Dan Goodin - 4/8/2017, 8:00 PM

Rob Enslin

READER COMMENTS

188 with 109 posters participating, including story author

SHARE THIS STORY

 * Share on Facebook
 * Share on Twitter
 * Share on Reddit

Update, 4/10/2017, 9:20 AM California time: Security experts are reporting that
Microsoft will patch the vulnerability on Tuesday. In the meantime, users can
block
code-execution exploits by adding the following to their Windows registry:
Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles to 2 and
OpenInProtectedView to 0. What follows is the report as it was published on
Saturday.

There's a new zero-day attack in the wild that's surreptitiously installing
malware on fully patched computers. It does so by exploiting a vulnerability in
most or all versions of Microsoft Word.

The attack starts with an e-mail that attaches a malicious Word document,
according to a blog post published Saturday by researchers from security firm
FireEye. Once opened, exploit code concealed inside the document connects to an
attacker-controlled server. It downloads a malicious HTML application file
that's disguised to look like a document created in Microsoft's Rich Text
Format. Behind the scenes, the .hta file downloads additional payloads from
"different well-known malware families."

The attack is notable for several reasons. First, it bypasses most exploit
mitigations: this capability allows it to work even against Windows 10, which
security experts widely agree is Microsoft's most secure operating system to
date. Second, unlike the vast majority of the Word exploits seen in the wild
over the past few years, this new attack doesn't require targets to enable
macros. Last, before terminating, the exploit opens a decoy Word document in an
attempt to hide any sign of the attack that just happened.

The zero-day attacks were first reported Friday evening by researchers from
security firm McAfee. In a blog post, they wrote:

> The exploit connects to a remote server (controlled by the attacker),
> downloads a file that contains HTML application content, and executes it as an
> .hta file. Because .hta is executable, the attacker gains full code execution
> on the victim's machine. Thus, this is a logical bug [that] gives the
> attackers the power to bypass any memory-based mitigations developed by
> Microsoft. The following is a part of the communications we captured:
> 
> Enlarge
> Enlarge
> 
> The successful exploit closes the bait Word document and pops up a fake one to
> show the victim. In the background, the malware has already been stealthily
> installed on the victim's system.
> 
> The root cause of the zeroday vulnerability is related to the Windows Object
> Linking and Embedding (OLE), an important feature of Office. (Check our Black
> Hat USA 2015 presentation in which we examine the attack surface of this
> feature.)

FireEye researchers said they have been communicating with Microsoft about the
vulnerability for several weeks and had agreed not to publicly disclose it
pending the release of a patch. FireEye later decided to publish Saturday's blog
post after McAfee disclosed vulnerability details. McAfee, meanwhile, said the
earliest attack its researchers are aware of dates back to January. Microsoft's
next scheduled release of security updates is this Tuesday.

Advertisement


Zero-day attacks are typically served only on select individuals, such as those
who work for a government contractor, a government agency, or a similar
organization that's attractive to nation-sponsored hackers. Still, it's not
uncommon for such attacks to be visited on larger populations once the
underlying zero-day vulnerability becomes public knowledge.

People should be highly suspicious of any Word document that arrives in an
e-mail, even if the sender is well known. The attacks observed by McAfee are
unable to work when a booby-trapped document is viewed in an Office feature
known as Protected View. Those who choose to open an attached Word document
should exercise extreme caution before disabling Protected View. There's no word
yet if use of Microsoft's Enhanced Mitigation Experience Toolkit prevents the
exploit from working.


PROMOTED COMMENTS

 * Schwieb Ars Scholae Palatinae et Subscriptor
   jump to post
   egoebelbecker wrote:
   coolfactor wrote:
   No mention that this is Windows only? Does it affect Mac users at all? I
   think that would be an important thing to discuss.
   
   
   The report linked to in the article doesn't say one way or another. However,
   it does refer to "winword.exe," which would seem to mean it was found on
   Windows.
   
   OLE does have limited support on Mac. So...?
   
   
   This does not affect MacOffice. While we do have an implementation of OLE,
   the CLSID for this object is ignored because application/hta objects don't
   exist on the Mac (the mime type is Windows-specific). Even if OLE on the Mac
   understood that CLSID, there isn't any OS support for HTA scripting so it
   still wouldn't do anything.
   
   Schwieb
   Principal Software Engineer
   Office for Apple Platforms
   Microsoft Corporation
   
   953 posts | registered 9/19/2006



READER COMMENTS

188 with 109 posters participating, including story author

SHARE THIS STORY

 * Share on Facebook
 * Share on Twitter
 * Share on Reddit

Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012
after working for The Register, the Associated Press, Bloomberg News, and other
publications.
Email dan.goodin@arstechnica.com // Twitter @dangoodin001

Advertisement


You must login or create an account to comment.




CHANNEL ARS TECHNICA

UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO

Today "Quantum Leap" series creator Donald P. Bellisario joins Ars Technica to
answer once and for all the lingering questions we have about his enduringly
popular show. Was Dr. Sam Beckett really leaping between all those time periods
and people or did he simply imagine it all? What do people in the waiting room
do while Sam is in their bodies? What happens to Sam's loyal ally Al? 30 years
following the series finale, answers to these mysteries and more await.

 * UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO

 * UNSOLVED MYSTERIES OF WARHAMMER 40K WITH AUTHOR DAN ABNETT

 * SITREP: F-16 REPLACEMENT SEARCH A SIGNAL OF F-35 FAIL?

 * SITREP: BOEING 707

 * STEVE BURKE OF GAMERSNEXUS REACTS TO THEIR TOP 1000 COMMENTS ON YOUTUBE

 * MODERN VINTAGE GAMER REACTS TO HIS TOP 1000 COMMENTS ON YOUTUBE

 * HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985

 * SCOTT MANLEY REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW HORROR WORKS IN AMNESIA: REBIRTH, SOMA AND AMNESIA: THE DARK DESCENT

 * LGR'S CLINT BASINGER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * THE F-35'S NEXT TECH UPGRADE

 * HOW ONE GAMEPLAY DECISION CHANGED DIABLO FOREVER

 * UNSOLVED MORTAL KOMBAT MYSTERIES WITH DOMINIC CIANCIOLO FROM NETHERREALM
   STUDIOS

 * US NAVY GETS AN ITALIAN ACCENT

 * HOW AMAZON’S “UNDONE” ANIMATES DREAMS WITH ROTOSCOPING AND OIL PAINTS

 * FIGHTER PILOT BREAKS DOWN EVERY BUTTON IN AN F-15 COCKPIT

 * HOW NBA JAM BECAME A BILLION-DOLLAR SLAM DUNK

 * LINUS "TECH TIPS" SEBASTIAN REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW ALAN WAKE WAS REBUILT 3 YEARS INTO DEVELOPMENT

 * HOW PRINCE OF PERSIA DEFEATED APPLE II'S MEMORY LIMITATIONS

 * HOW CRASH BANDICOOT HACKED THE ORIGINAL PLAYSTATION

 * MYST: THE CHALLENGES OF CD-ROM | WAR STORIES

 * MARKIPLIER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW MIND CONTROL SAVED ODDWORLD: ABE'S ODDYSEE

 * BIOWARE ANSWERS UNSOLVED MYSTERIES OF THE MASS EFFECT UNIVERSE

 * CIVILIZATION: IT'S GOOD TO TAKE TURNS | WAR STORIES

 * SITREP: DOD RESETS BALLISTIC MISSILE INTERCEPTOR PROGRAM

 * WARFRAME'S REBECCA FORD REVIEWS YOUR CHARACTERS

 * SUBNAUTICA: A WORLD WITHOUT GUNS | WAR STORIES

 * HOW SLAY THE SPIRE’S ORIGINAL INTERFACE ALMOST KILLED THE GAME | WAR STORIES

 * AMNESIA: THE DARK DESCENT - THE HORROR FACADE | WAR STORIES

 * COMMAND & CONQUER: TIBERIAN SUN | WAR STORIES

 * BLADE RUNNER: SKINJOBS, VOXELS, AND FUTURE NOIR | WAR STORIES

 * DEAD SPACE: THE DRAG TENTACLE | WAR STORIES

 * TEACH THE CONTROVERSY: FLAT EARTHERS

 * DELTA V: THE BURGEONING WORLD OF SMALL ROCKETS, PAUL ALLEN'S HUGE PLANE, AND
   SPACEX GETS A CRUCIAL GREEN-LIGHT

 * CHRIS HADFIELD EXPLAINS HIS 'SPACE ODDITY' VIDEO

 * THE GREATEST LEAP, EPISODE 1: RISK

 * ULTIMA ONLINE: THE VIRTUAL ECOLOGY | WAR STORIES

More videos
← Previous story Next story →


RELATED STORIES

Sponsored Stories
[Galerie] Ihr war das gewagteste Outfit beim Burning Man Festival HistoryA2Z
If You Have Trouble Breathing, You Might Need This Strange Device Air Physio
[Bilder] 40 Fotos von Golf-Star Paige Spiranac Housediver
[Fotos] Auf diese 11 Dinge achten Flugbegleiter bei den Gästen als Erstes
VoucherCodes
[Fotos] Niemand hat jemals zuvor eine so große Kreatur gesehen VoucherCodes
[Fotos] Diese Fotos zeigen: So geht es wirklich beim Burning Man Festival zu
VoucherCodes
Recommended by



TODAY ON ARS

 * Store
 * Subscribe
 * About Us
 * RSS Feeds
 * View Mobile Site

 * Contact Us
 * Staff
 * Advertise with us
 * Reprints


NEWSLETTER SIGNUP

Join the Ars Orbital Transmission mailing list to get weekly updates delivered
to your inbox.

Sign me up →

CNMN Collection
WIRED Media Group
© 2022 Condé Nast. All rights reserved. Use of and/or registration on any
portion of this site constitutes acceptance of our User Agreement (updated
1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars
Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from
links on this site. Read our affiliate link policy.
Your California Privacy Rights | Manage Preferences
The material on this site may not be reproduced, distributed, transmitted,
cached or otherwise used, except with the prior written permission of Condé
Nast.
Ad Choices





WE CARE ABOUT YOUR PRIVACY

We and our partners store and/or access information on a device, such as unique
IDs in cookies to process personal data. You may accept or manage your choices
by clicking below or at any time in the privacy policy page. These choices will
be signaled to our partners and will not affect browsing data.


WE AND OUR PARTNERS PROCESS DATA TO PROVIDE:

Use precise geolocation data. Actively scan device characteristics for
identification. Store and/or access information on a device. Personalised ads
and content, ad and content measurement, audience insights and product
development. List of Partners (vendors)

I Accept
Show Purposes