Hackers are Attacking Word Users with Microsoft Office Zero-Day Vulnerability

security

Hackers are exploiting a previously undisclosed vulnerability in Microsoft Word, which security researchers say can be used to quietly install different kinds of malware — even on fully patched computers, according to tech news and analysis site ZDNet.

Unlike most document-related vulnerabilities, this zero-day bug that has yet to be patched does not rely on macros — in which Office typically warns users of risks when opening macro-enabled files.

Instead, the vulnerability is triggered when a victim opens a trick Word document, which downloads a malicious HTML application from a server, disguised to look like a Rich Text document file as a decoy. The HTML application meanwhile downloads and runs a malicious script that can be used to surreptitiously install malware.

Researchers at McAfee, who first reported the discovery Friday, said because the HTML application is executable, the attacker can run code on the affected computer while evading memory-based mitigations designed to prevent these kinds of attacks.

Both McAfee and cybersecurity company FireEye agreed on the cause of the vulnerability. The issue relates to the Windows Object Linking and Embedding (OLE) function, which allows an application to link and embed content to other documents, according to researchers. The Windows OLE feature is used primarily in Office and Windows’ built-in document viewer WordPad, but has been the cause of numerous vulnerabilities over the past few years, ZDNet said.

The bug can be exploited on all versions of Office, including the latest Office 2016 running on Windows 10. Attacks have been spotted in the wild since January, ZDNet said.

A Microsoft spokesperson confirmed that the company will issue a fix for the bug Tuesday as part of its monthly release of security fixes and patches.

About the Author

Richard Chang is associate editor of THE Journal. He can be reached at [email protected].

Featured

  • data professionals in a meeting

    Data Fluency as a Strategic Imperative

    As an institution's highest level of data capabilities, data fluency taps into the agency of technical experts who work together with top-level institutional leadership on issues of strategic importance.

  • row of students using computers in a library

    A Return to Openness: Apereo Examines Sustainability in Open Source

    Surprisingly, on many of our campuses, even the IT leadership responsible for the lion's share of technology deployments doesn't realize the extent to which the institution is dependent on open source. And that lack of awareness can be a threat to campuses.

  • laptop displaying a phishing email icon inside a browser window on the screen

    Phishing Campaign Targets ED Grant Portal

    Threat researchers at cybersecurity company BforeAI have identified a phishing campaign spoofing the U.S. Department of Education's G5 grant management portal.

  • student and teacher using AI-enabled laptops, with rising arrows on a graph

    Student and Teacher AI Use Jumps Nearly 30% in One Year

    In a recent survey from learning platform Quizlet, 85% of high school and college students and teachers said they use AI technology, compared to 66% in 2024 — a 29% increase year over year.