Categories: SecurityWorkspace

Attackers Hit Microsoft Word Through Unpatched Flaw

Malicious hackers have exploited a previously-unknown, unpatched flaw in Microsoft Word, the tech titan has warned.

The attacks took advantage of a freshly-uncovered weakness (a “zero day” flaw) in how Word parses Rich Text Format files combining it with a bypass of Microsoft’s address space layout randomization (ASLR). ASLR is a technology that strengthens security by randomising the memory layout of an executing program, decreasing the probability an exploit will work.

Exploits could take place without the user clicking a thing, as code could be executed simply by viewing the preview pane  in Outlook. However, Microsoft said it had never seen an attack using this method.

Zero-day Word attack

“At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010,” the firm said in an advisory. Attacks on Word 2013, the latest version of the software, failed.

“The attack detected in the wild is limited and very targeted in nature. The malicious document is designed to trigger a memory corruption vulnerability in the RTF parsing code. The attacker embedded a secondary component in order to bypass ASLR, and leveraged return-oriented-programming [ROP] techniques using native RTF encoding schemes to craft ROP gadgets.”

In any case, the shellcode used in the zero-day attacks would not perform any additional malicious action if there were updates installed after 8 April 2014.

The malware dropped by the shell was a “generic” backdoor, Microsoft said. It was written in Visual Basic 6 and communicated over HTTPS, but could run additional programs when launched.

Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) should block attacks if users can turn it on. Otherwise, they should block RTF files completely or ensure Word opens RTF documents in Protected View, which can be done via Trust Center settings.

A Fix it solution has been made available within the advisory. Mac users running Word are affected too.

Drew Hintz, Shane Huntley, and Matty Pellegrino from the Google security team were credited with finding the attacks.

Are you a security expert? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

19 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

20 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

21 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago