Sent from my iPhone
Begin forwarded message:
From: "Kittredge, Dirk" <Dirk.Kittredge@xxxxxxxxxxxxxx>
Date: April 11, 2017 at 8:15:14 AM MDT
To: "dirk@xxxxxxxxxxxx" <dirk@xxxxxxxxxxxx>
Subject: Newly Discovered Microsoft Word Exploit
There's a new zeroday attack in the wild that's surreptitiously installing
malware on fully-patched computers. It does so by exploiting a vulnerability
in most or all versions of Microsoft Word.
The attack starts with an e-mail that attaches a malicious Word document,
according to a blog post published Saturday by researchers from security firm
FireEye. Once opened, exploit code concealed inside the document connects to
an attacker-controlled server. It downloads a malicious HTML application file
that's disguised to look like a document created in Microsoft's Rich Text
Format. Behind the scenes, the .hta file downloads additional payloads from
"different well-known malware families."
The attack is notable for several reasons. First, it bypasses most exploit
mitigations: This capability allows it to work even against Windows 10, which
security experts widely agree is Microsoft's most secure operating system to
date. Second, unlike the vast majority of the Word exploits seen in the wild
over the past few years, this new attack doesn't require targets to enable
macros. Last, before terminating, the exploit opens a decoy Word document in
an attempt to hide any sign of the attack that just happened.
People should be highly suspicious of any Word document that arrives in an
e-mail, even if the sender is well known. The attacks observed by McAfee are
unable to work when a booby-trapped document is viewed in an Office feature
known as Protected View. Those who choose to open an attached Word document
should exercise extreme caution before disabling Protected View. There's no
word yet if use of Microsoft's Enhanced Mitigation Experience Toolkit
prevents the exploit from working.
Dirk Kittredge
Senior Consultant – Marketing | Windstream
1200 17th Street, Suite 1050, Denver, CO 80241
Dirk.Kittredge@xxxxxxxxxxxxxx | windstreambusiness.com
o: (720) 529-7661 | m: (303) 868-5094
This email message and any attachments are for the sole use of the intended
recipient(s). Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the sender
by reply email and destroy all copies of the original message and any
attachments.