McAfee researchers discovered an unknown vulnerability in Microsoft Word (application of Office), which can be used to install different types of malware even on fully updated computers.
Unlike most vulnerabilities of Office this zero-day bug (not yet fixed) does not use macros. Office macros are a known application vulnerability.
Vulnerability is triggered when the victim opens a dumb Word document that downloads a malicious HTML application from a server that is disguised to resemble a Rich Text document. The HTML application downloads and runs a malicious script that can be used to install malware.
McAfee researchers, who first discovered and published the vulnerability on Friday, say that because the HTML application is executable, an attacker can execute code on any computer and can bypass out-of-memory mitigations designed to prevent such attacks.
McAfee and FireEye (the latter published a similar warning on Saturday) agreed on the cause of the vulnerability. The issue is related to Windows Object Linking and Embedding (OLE), which allows an application to link and integrate content into other documents, according to researchers. The Windows OLE feature is mainly used in Office and Windows, embedded in WordPad, and is the cause of many vulnerabilities over the past few years.
Researchers report that the bug can be exploited in all versions of the Office, including the latest Office 2016 running on Windows 10, and have detected such attacks on the Internet since January.
A Microsoft spokesman confirmed that company will issue an update for the bug on Tuesday as part of its monthly update rollout.