McAfee researchers have discovered an unknown vulnerability in Microsoft Word (Office application), which can be used to install different kinds of malware even on fully-updated computers.
Unlike most Office vulnerabilities this zero-day bug (not yet patched) does not use macroscommands. Macros in Office are a known application vulnerability.
Η ευπάθεια ενεργοποιείται όταν το θύμα ανοίγει ένα πειραγμένο έγγραφο του Word, το οποίο κατεβάζει μια κακόβουλη εφαρμογή HTML από ένα διακομιστή, που είναι μεταμφιεσμένη για να μοιάζει με ένα αρχείο Rich Text document. Η εφαρμογή HTML κατεβάζει και τρέχει ένα κακόβουλο script which can be used to install malware.
McAfee researchers, who first discovered and published the vulnerability on Friday, say that because the HTML application is executable, an attacker can execute code on each computer and can avoid memory mitigations designed to prevent such attacks.
McAfee and FireEye (the latter published a similar warning on Saturday) agreed on the cause of the vulnerability. The issue is related to the Windows Object Linking and Embedding (OLE) feature, which allows an application to link and embed content in other documents, according to the researchers. The Windows OLE feature is mainly used in Office and Windows, it is built into the wordpad, and is the cause of many vulnerabilities over the past few years.
Researchers report that the bug can be exploited in all versions of Office, including the latest Office 2016 running on Windows 10, and have identified such attacks in Internet since January.
A Microsoft spokesman confirmed that the company will issue an update on the error on Tuesday as part of the monthly release of updates.