Hackers are Attacking Word Users with Microsoft Office Zero-Day Vulnerability

security

Hackers are exploiting a previously undisclosed vulnerability in Microsoft Word, which security researchers say can be used to quietly install different kinds of malware — even on fully patched computers, according to tech news and analysis site ZDNet.

Unlike most document-related vulnerabilities, this zero-day bug that has yet to be patched does not rely on macros — in which Office typically warns users of risks when opening macro-enabled files.

Instead, the vulnerability is triggered when a victim opens a trick Word document, which downloads a malicious HTML application from a server, disguised to look like a Rich Text document file as a decoy. The HTML application meanwhile downloads and runs a malicious script that can be used to surreptitiously install malware.

Researchers at McAfee, who first reported the discovery Friday, said because the HTML application is executable, the attacker can run code on the affected computer while evading memory-based mitigations designed to prevent these kinds of attacks.

Both McAfee and cybersecurity company FireEye agreed on the cause of the vulnerability. The issue relates to the Windows Object Linking and Embedding (OLE) function, which allows an application to link and embed content to other documents, according to researchers. The Windows OLE feature is used primarily in Office and Windows’ built-in document viewer WordPad, but has been the cause of numerous vulnerabilities over the past few years, ZDNet said.

The bug can be exploited on all versions of Office, including the latest Office 2016 running on Windows 10. Attacks have been spotted in the wild since January, ZDNet said.

A Microsoft spokesperson confirmed that the company will issue a fix for the bug Tuesday as part of its monthly release of security fixes and patches.

About the Author

Richard Chang is associate editor of THE Journal. He can be reached at [email protected].

Featured

  • Two professionals, one male and one female, discuss AI regulations in a modern office with holographic displays showing legal documents, balance scales, and neural network symbols.

    Congressional Task Force Releases Recommendations for AI Governance

    The bipartisan House Task Force on Artificial Intelligence recently released its recommendations to bolster American leadership in AI.

  • modern college building with circuit and brain motifs

    Anthropic Launches Claude for Education

    Anthropic has announced a version of its Claude AI assistant tailored for higher education institutions. Claude for Education "gives academic institutions secure, reliable AI access for their entire community," the company said, to enable colleges and universities to develop and implement AI-enabled approaches across teaching, learning, and administration.

  • The AI Show

    Register for Free to Attend the World's Greatest Show for All Things AI in EDU

    The AI Show @ ASU+GSV, held April 5–7, 2025, at the San Diego Convention Center, is a free event designed to help educators, students, and parents navigate AI's role in education. Featuring hands-on workshops, AI-powered networking, live demos from 125+ EdTech exhibitors, and keynote speakers like Colin Kaepernick and Stevie Van Zandt, the event offers practical insights into AI-driven teaching, learning, and career opportunities. Attendees will gain actionable strategies to integrate AI into classrooms while exploring innovations that promote equity, accessibility, and student success.

  • NVIDIA DGX line

    NVIDIA Intros Personal AI Supercomputers

    NVIDIA has introduced a new lineup of AI-powered computing solutions designed to accelerate enterprise workloads.