Microsoft Word is no stranger to malware; criminals have been using Microsoft Word macros to infect computers since time immemorable, enough so that Microsoft, in addition to disabling macros by default, has an entirely different file extension for Macro-enabled files (docm instead of docx, xlsm instead of xlsx, and so-on).
Normally, however, normal documents aren’t capable of delivery malware payloads. Thanks to a Microsoft Word zero-day, any innocuous document, macros or not, is capable of infecting a system.
Worse, the vulnerability exists in all versions of Windows, up to Windows 10. Worse, it is actively being exploited, both by financial malware and even state-sponsored attackers. Worse, while McAFee originally indicated that Microsoft Office Protected Mode prevented the payload’s delivery, one security researcher has found a way around it.
The exploit itself is somewhat complicated; McAFee describes the observed vulnerability as existing specifically in rtf files, though such files are typically masked with a “.doc” extension. Once the file is opened, it triggers exploit code that downloads the full payload, stored in an .hta file but “disguised as a normal RTF file to evade security products.” This works by exploiting a zero-day vulnerability in Microsoft’s OLE technology.
‘Course, there is good news: a patch has been released. All Windows users should update immediately; the vulnerability also appears to exist in Microsoft WordPad, so anyone who uses Windows, Office or not, is potentially at risk. Users who have yet to update should avoid opening .doc and .rtf files in the meantime.