Vintage Erotica Forums - View Single Post

**Ernesto75** · April 12th, 2017, 09:30 AM

There is a zero-day attack relating to all versions of Microsoft Word.

Here is what you can read on a Mac Affee blog :

The samples we have detected are organized as Word files (more specially, RTF files with “.doc” extension name).
The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10.
The earliest attack we have seen dates to late January.

The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file.
Because .hta is executable, the attacker gains full code execution on the victim’s machine.
Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft.
The following is a part of the communications we captured:

The .hta content is disguised as a normal RTF file to evade security products, but we can find the malicious Visual Basic scripts in a later part of the file:

The successful exploit closes the bait Word document, and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim’s system.

The root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office.
(Check our Black Hat USA 2015 presentation, in which we examine the attack surface of this feature.)

Microsoft was notified of this weakness.

The advice is this :
Do not open any Office files obtained from untrusted locations.
Ensure that Office Protected View is enabled.

April 12th, 2017, 09:30 AM	#1333
Ernesto75 Vintage Member Join Date: Dec 2010 Location: Planet Earth Posts: 1,106 Thanks: 12,732 Thanked 21,648 Times in 1,096 Posts	Zero-day attack and Microsoft Word There is a zero-day attack relating to all versions of Microsoft Word. Here is what you can read on a Mac Affee blog : The samples we have detected are organized as Word files (more specially, RTF files with “.doc” extension name). The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. The earliest attack we have seen dates to late January. The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file. Because .hta is executable, the attacker gains full code execution on the victim’s machine. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft. The following is a part of the communications we captured: The .hta content is disguised as a normal RTF file to evade security products, but we can find the malicious Visual Basic scripts in a later part of the file: The successful exploit closes the bait Word document, and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim’s system. The root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office. (Check our Black Hat USA 2015 presentation, in which we examine the attack surface of this feature.) Microsoft was notified of this weakness. The advice is this : Do not open any Office files obtained from untrusted locations. Ensure that Office Protected View is enabled. Last edited by Ernesto75; April 12th, 2017 at 02:01 PM..