It’s a Trap!! Infected Microsoft Word Files Exploiting Unpatched Vulnerability

itsatrap.jpegA new virus is ‘in the wild’ that exploits a ‘zero-day’ vulnerability to infect or, worst case, wipe computers. The only known mitigation is to not download or view the infected files.  One may also view the files using ‘Protected View’, which has been reported to work in this case. Opening the file outside of Protected View will infect the system, however.

Note: Disabling ‘Macros’ does not protect against this exploit. The exploit bypasses most system protections, including the tools built into Windows 10.

The infected word document arrives via email.  Once opened, it downloads malicious code from a remote site, and installs various malware payloads. The virus actually opens a ‘decoy’ Word document in an attempt to cover its behavior.

A patch is expected today, but patches are useless if they are not applied. The patch will likely be issued only for Windows 7,8,10.  Older Windows versions will likely still be vulnerable.

At a Glance:

Threat Level:     HIGH
Delivery Method:     Email
Infection Vector:     MS Word Document:  .doc, .docx, .rtf
Infection Type:     Various malware libraries
Vulnerable:     All Windows Versions. All Office versions.

Actions:

1- Communicate and Educate: Make sure ALL users are aware

2- Until patch is applied:  Utilize Protected View to view documents

You (or IT support) may also change registry files to automatically open documents in Protected View.

3- Pay attention to patch cycle. MicroSoft’s standard patch day is today. Make sure patches are applied and operational.

Outside Links:

Ars Technica

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: