arstechnica.com
Open in
urlscan Pro
18.119.39.54
Public Scan
Submitted URL: https://arstechnica.com/security/2017/04/booby-trapped-word-documents-in-the-wild-exploit-critical-microsoft-0day/
Effective URL: https://arstechnica.com/information-technology/2017/04/booby-trapped-word-documents-in-the-wild-exploit-critical-microso...
Submission Tags: falconsandbox
Submission: On August 13 via api from US — Scanned from DE
Effective URL: https://arstechnica.com/information-technology/2017/04/booby-trapped-word-documents-in-the-wild-exploit-critical-microso...
Submission Tags: falconsandbox
Submission: On August 13 via api from US — Scanned from DE
Form analysis
2 forms found in the DOMGET /search/
<form action="/search/" method="GET" id="search_form">
<input type="hidden" name="ie" value="UTF-8">
<input type="text" name="q" id="hdr_search_input" value="" aria-label="Search..." placeholder="Search...">
</form>
POST https://arstechnica.com/civis/ucp.php?mode=login
<form id="login-form" action="https://arstechnica.com/civis/ucp.php?mode=login" method="post">
<input type="text" name="username" id="username" placeholder="Username or Email" aria-label="Username or Email">
<input type="password" name="password" id="password" placeholder="Password" aria-label="Password">
<input type="submit" value="Submit" class="button button-orange button-wide" name="login">
<label id="remember-label">
<input type="checkbox" name="autologin" id="autologin"> Stay logged in</label> <span>|</span> <a href="/civis/ucp.php?mode=sendpassword">Having trouble?</a>
<input type="hidden" name="redirect" value="./ucp.php?mode=login&autoredirect=1&return_to=%2Finformation-technology%2F2017%2F04%2Fbooby-trapped-word-documents-in-the-wild-exploit-critical-microsoft-0day%2F">
<input type="hidden" name="return_to" value="/information-technology/2017/04/booby-trapped-word-documents-in-the-wild-exploit-critical-microsoft-0day/">
<input type="hidden" name="from_homepage" value="1">
</form>
Text Content
Skip to main content * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Subscribe Close NAVIGATE * Store * Subscribe * Videos * Features * Reviews * RSS Feeds * Mobile Site * About Ars * Staff Directory * Contact Us * Advertise with Ars * Reprints FILTER BY TOPIC * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums SETTINGS Front page layout Grid List Site theme Black on white White on black Sign in COMMENT ACTIVITY Sign up or login to join the discussions! Stay logged in | Having trouble? Sign up to comment and more Sign up BIZ & IT — BOOBY-TRAPPED WORD DOCUMENTS IN THE WILD EXPLOIT CRITICAL MICROSOFT 0-DAY THERE’S CURRENTLY NO PATCH FOR THE BUG, WHICH AFFECTS MOST OR ALL VERSIONS OF WORD. Dan Goodin - 4/8/2017, 8:00 PM Rob Enslin READER COMMENTS 188 with 109 posters participating, including story author SHARE THIS STORY * Share on Facebook * Share on Twitter * Share on Reddit Update, 4/10/2017, 9:20 AM California time: Security experts are reporting that Microsoft will patch the vulnerability on Tuesday. In the meantime, users can block code-execution exploits by adding the following to their Windows registry: Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles to 2 and OpenInProtectedView to 0. What follows is the report as it was published on Saturday. There's a new zero-day attack in the wild that's surreptitiously installing malware on fully patched computers. It does so by exploiting a vulnerability in most or all versions of Microsoft Word. The attack starts with an e-mail that attaches a malicious Word document, according to a blog post published Saturday by researchers from security firm FireEye. Once opened, exploit code concealed inside the document connects to an attacker-controlled server. It downloads a malicious HTML application file that's disguised to look like a document created in Microsoft's Rich Text Format. Behind the scenes, the .hta file downloads additional payloads from "different well-known malware families." The attack is notable for several reasons. First, it bypasses most exploit mitigations: this capability allows it to work even against Windows 10, which security experts widely agree is Microsoft's most secure operating system to date. Second, unlike the vast majority of the Word exploits seen in the wild over the past few years, this new attack doesn't require targets to enable macros. Last, before terminating, the exploit opens a decoy Word document in an attempt to hide any sign of the attack that just happened. The zero-day attacks were first reported Friday evening by researchers from security firm McAfee. In a blog post, they wrote: > The exploit connects to a remote server (controlled by the attacker), > downloads a file that contains HTML application content, and executes it as an > .hta file. Because .hta is executable, the attacker gains full code execution > on the victim's machine. Thus, this is a logical bug [that] gives the > attackers the power to bypass any memory-based mitigations developed by > Microsoft. The following is a part of the communications we captured: > > Enlarge > Enlarge > > The successful exploit closes the bait Word document and pops up a fake one to > show the victim. In the background, the malware has already been stealthily > installed on the victim's system. > > The root cause of the zeroday vulnerability is related to the Windows Object > Linking and Embedding (OLE), an important feature of Office. (Check our Black > Hat USA 2015 presentation in which we examine the attack surface of this > feature.) FireEye researchers said they have been communicating with Microsoft about the vulnerability for several weeks and had agreed not to publicly disclose it pending the release of a patch. FireEye later decided to publish Saturday's blog post after McAfee disclosed vulnerability details. McAfee, meanwhile, said the earliest attack its researchers are aware of dates back to January. Microsoft's next scheduled release of security updates is this Tuesday. Advertisement Zero-day attacks are typically served only on select individuals, such as those who work for a government contractor, a government agency, or a similar organization that's attractive to nation-sponsored hackers. Still, it's not uncommon for such attacks to be visited on larger populations once the underlying zero-day vulnerability becomes public knowledge. People should be highly suspicious of any Word document that arrives in an e-mail, even if the sender is well known. The attacks observed by McAfee are unable to work when a booby-trapped document is viewed in an Office feature known as Protected View. Those who choose to open an attached Word document should exercise extreme caution before disabling Protected View. There's no word yet if use of Microsoft's Enhanced Mitigation Experience Toolkit prevents the exploit from working. PROMOTED COMMENTS * Schwieb Ars Scholae Palatinae et Subscriptor jump to post egoebelbecker wrote: coolfactor wrote: No mention that this is Windows only? Does it affect Mac users at all? I think that would be an important thing to discuss. The report linked to in the article doesn't say one way or another. However, it does refer to "winword.exe," which would seem to mean it was found on Windows. OLE does have limited support on Mac. So...? This does not affect MacOffice. While we do have an implementation of OLE, the CLSID for this object is ignored because application/hta objects don't exist on the Mac (the mime type is Windows-specific). Even if OLE on the Mac understood that CLSID, there isn't any OS support for HTA scripting so it still wouldn't do anything. Schwieb Principal Software Engineer Office for Apple Platforms Microsoft Corporation 953 posts | registered 9/19/2006 READER COMMENTS 188 with 109 posters participating, including story author SHARE THIS STORY * Share on Facebook * Share on Twitter * Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Email dan.goodin@arstechnica.com // Twitter @dangoodin001 Advertisement You must login or create an account to comment. CHANNEL ARS TECHNICA UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO Today "Quantum Leap" series creator Donald P. Bellisario joins Ars Technica to answer once and for all the lingering questions we have about his enduringly popular show. Was Dr. Sam Beckett really leaping between all those time periods and people or did he simply imagine it all? What do people in the waiting room do while Sam is in their bodies? What happens to Sam's loyal ally Al? 30 years following the series finale, answers to these mysteries and more await. * UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO * UNSOLVED MYSTERIES OF WARHAMMER 40K WITH AUTHOR DAN ABNETT * SITREP: F-16 REPLACEMENT SEARCH A SIGNAL OF F-35 FAIL? * SITREP: BOEING 707 * STEVE BURKE OF GAMERSNEXUS REACTS TO THEIR TOP 1000 COMMENTS ON YOUTUBE * MODERN VINTAGE GAMER REACTS TO HIS TOP 1000 COMMENTS ON YOUTUBE * HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985 * SCOTT MANLEY REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW HORROR WORKS IN AMNESIA: REBIRTH, SOMA AND AMNESIA: THE DARK DESCENT * LGR'S CLINT BASINGER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * THE F-35'S NEXT TECH UPGRADE * HOW ONE GAMEPLAY DECISION CHANGED DIABLO FOREVER * UNSOLVED MORTAL KOMBAT MYSTERIES WITH DOMINIC CIANCIOLO FROM NETHERREALM STUDIOS * US NAVY GETS AN ITALIAN ACCENT * HOW AMAZON’S “UNDONE” ANIMATES DREAMS WITH ROTOSCOPING AND OIL PAINTS * FIGHTER PILOT BREAKS DOWN EVERY BUTTON IN AN F-15 COCKPIT * HOW NBA JAM BECAME A BILLION-DOLLAR SLAM DUNK * LINUS "TECH TIPS" SEBASTIAN REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW ALAN WAKE WAS REBUILT 3 YEARS INTO DEVELOPMENT * HOW PRINCE OF PERSIA DEFEATED APPLE II'S MEMORY LIMITATIONS * HOW CRASH BANDICOOT HACKED THE ORIGINAL PLAYSTATION * MYST: THE CHALLENGES OF CD-ROM | WAR STORIES * MARKIPLIER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS * HOW MIND CONTROL SAVED ODDWORLD: ABE'S ODDYSEE * BIOWARE ANSWERS UNSOLVED MYSTERIES OF THE MASS EFFECT UNIVERSE * CIVILIZATION: IT'S GOOD TO TAKE TURNS | WAR STORIES * SITREP: DOD RESETS BALLISTIC MISSILE INTERCEPTOR PROGRAM * WARFRAME'S REBECCA FORD REVIEWS YOUR CHARACTERS * SUBNAUTICA: A WORLD WITHOUT GUNS | WAR STORIES * HOW SLAY THE SPIRE’S ORIGINAL INTERFACE ALMOST KILLED THE GAME | WAR STORIES * AMNESIA: THE DARK DESCENT - THE HORROR FACADE | WAR STORIES * COMMAND & CONQUER: TIBERIAN SUN | WAR STORIES * BLADE RUNNER: SKINJOBS, VOXELS, AND FUTURE NOIR | WAR STORIES * DEAD SPACE: THE DRAG TENTACLE | WAR STORIES * TEACH THE CONTROVERSY: FLAT EARTHERS * DELTA V: THE BURGEONING WORLD OF SMALL ROCKETS, PAUL ALLEN'S HUGE PLANE, AND SPACEX GETS A CRUCIAL GREEN-LIGHT * CHRIS HADFIELD EXPLAINS HIS 'SPACE ODDITY' VIDEO * THE GREATEST LEAP, EPISODE 1: RISK * ULTIMA ONLINE: THE VIRTUAL ECOLOGY | WAR STORIES More videos ← Previous story Next story → RELATED STORIES Sponsored Stories [Galerie] Ihr war das gewagteste Outfit beim Burning Man Festival HistoryA2Z If You Have Trouble Breathing, You Might Need This Strange Device Air Physio [Bilder] 40 Fotos von Golf-Star Paige Spiranac Housediver [Fotos] Auf diese 11 Dinge achten Flugbegleiter bei den Gästen als Erstes VoucherCodes [Fotos] Niemand hat jemals zuvor eine so große Kreatur gesehen VoucherCodes [Fotos] Diese Fotos zeigen: So geht es wirklich beim Burning Man Festival zu VoucherCodes Recommended by TODAY ON ARS * Store * Subscribe * About Us * RSS Feeds * View Mobile Site * Contact Us * Staff * Advertise with us * Reprints NEWSLETTER SIGNUP Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up → CNMN Collection WIRED Media Group © 2022 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Manage Preferences The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices WE CARE ABOUT YOUR PRIVACY We and our partners store and/or access information on a device, such as unique IDs in cookies to process personal data. You may accept or manage your choices by clicking below or at any time in the privacy policy page. These choices will be signaled to our partners and will not affect browsing data. WE AND OUR PARTNERS PROCESS DATA TO PROVIDE: Use precise geolocation data. Actively scan device characteristics for identification. Store and/or access information on a device. Personalised ads and content, ad and content measurement, audience insights and product development. List of Partners (vendors) I Accept Show Purposes