There was a time when Word documents were the main vector of infections on PCs, due to the ease of creating Macro viruses and the power of the macro language Microsoft used.
That was, however, a very long time ago, and Microsoft has beefed up security in their Office suite quite a bit since then.
That’s about to change, however, as a new Word-based virus is doing the rounds, with no patch currently available.
Security researchers FireEye has revealed a new vulnerability in Word based on Windows Object Linking and Embedding (OLE), and which is currently doing the rounds in the wild.
The virus arrives by email, which when opened activates exploit code in the document which connects to an attacker-controlled server and then downloads a malicious HTML application file that’s disguised to look like a document created in Microsoft’s Rich Text Format. Once running the .hta file downloads additional payloads from “different well-known malware families” and then pops up a real word document to hide its activities.
The attack works on fully patched PCs and the only mitigation is not to download or open suspicious word files or only view them in Protected View, which does, in fact, protect users on this occasion. Disabling Macros does not offer any protection.
The new malware was discovered some weeks ago and FireEye has notified Microsoft of its existence, but a patch is not ready to be released yet.
Read more about the issue at FireEye here.
Update: Microsoft has patched the vulnerability, which was being actively exploited to spread the Dridex malware, and which was targeting banks and other financial institutions, in this month’s Patch Tuesday. Patch Tuesday also fixed two other critical vulnerabilities that were being actively exploited in the wild, including an elevation of privilege vulnerability in Internet Explorer and another issue with Office.