Software researchers at McAfee and Firefly have disclosed ‘in-the-wild’ attacks that exploit a zero-day vulnerability in Microsoft Word. The vulnerability allows attackers to install malware on remote machines.
According to a Fireeye blog:
The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.
It’s unknown how many users have been compromised due to this security flaw, but thanks to Proofpoint, we do know that malicious documents have been sent to millions of users to distribute the dreaded Dridex banking Trojan.
According to various reports, the vulnerability was known to Microsoft since January, but the company has not yet patched it or issued a public advisory to warn users.
“The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. The earliest attack we have seen dates to late January,” McAfee wrote in a blog post.
It’s alarming to see that Microsoft has not fixed the issue for almost four months now. I recall that Microsoft delayed patches for February even when there were some known vulnerabilities.
It’s even more concerning in the light of recent Wikileaks revelations that the CIA and other government agencies exploit security holes to compromise the systems of their targets. I would expect prompt action from companies to protect users from not only government agencies, but also criminals unless… I don’t want to say it. But instead of fixing issues immediately and patching the affected products, Microsoft’s silence and delay are raising some serious questions.
A conspiracy theorist, not me, may wonder if Microsoft is deliberately delaying patches or remaining silent to let government agencies exploit these holes and compromise systems of their targets before they are fixed? If that be the case, should individuals, businesses and even government agencies around the globe trust Microsoft products?
I am not a Linux or open source advocate anymore (I used to be at one point in time), I am becoming a technology and product agnostic and use every possible piece of technology that I can cram into my life.
I recommend the best tools for the job, but the way Microsoft is handling serious flaws in its products and the way government agencies are using flaws to compromise computers, it’s about time people start thinking twice before using Microsoft’s products. It’s about time people should start looking at open source alternatives or Microsoft products.
Close your Windows, wipe off your Words and open your doors for desktop Linux and LibreOffice.