Security Researchers Detected Zero Day Vulnerability in Microsoft
Security Companies McAfee and FireEye detects Microsoft Zero-day Bug in Office 2016 which is running on Windows 10.
A scenario of this Zero day vulnerability attack is Malicious document file E-mailing to victim contains an embedded OLE2link object, when the victim opens the attachment document file winword.exe contacts a remote server over HTTP request to retrieve a malicious .hta file appears as a fake RTF file.
FireEye email and network products detect the malicious documents as: Malware.Binary.Rtf.
The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.
|Screenshot by McAfee
Once the exploits connected remotely, it downloads a file that contains HTML application content and executes it in .hta file. Because .hta is executable, the attacker gains full code execution on the victim’s machine.
McAfee said in the blog, The root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office. (Check our Black Hat USA 2015 presentation, in which we examine the attack surface of this feature.)
How to Protect?Do not open any document file from unknown E-mail.
Currently, this vulnerability is not patched yet. Microsoft is working on this Bug and will be updated once it patches.