Hackers Exploit Microsoft Word Auto-Updating Links To Install Spyware

Microsoft Bug

A freelance security consultant and Handler at SANS Internet Storm Center has discovered a rather interesting exploit in Microsoft Word, one that allows an attacker to abuse the productivity program's ability to auto-update links. This is a feature that is enabled by default—when you add links to external sources like URLs, World with automatically update them without any prompts. Therein lies the issue.

"The infection vector was classic: The document (‘N_Order#xxxxx.docx with 5 random numbers) was received as an attachment and has a VT score of 12/59 this morning. The file has an embedded link to another document which is a malicious RTF file that tries to exploit the CVE 2017-0199," security consultant Xavier Mertens explains in a blog post outlining the vulnerability.

Image Source: Xavier Mertens

CVE 2017-0199 pertains to a vulnerability that allows a hacker to download and execute a Visual Basic script containing PowerShell commands when the user opens a document containing an embedded exploit. Security outfit FireEye said back in April that it observed Office documents exploiting CVE-2017-0199 that download and execute malware payloads from different well-known malware families.

In this case, the Word files tries to access the malicious RTF file. If it succeeds, it downloads a JavaScript payload. According to Mertens, the link update is triggered without user interaction or without a prompt warning to the user that such an action will take place.

This seems to be attracting the attention of malicious agents. In addition to FireEye seeing CVE 2017-0199 being exploited in the wild, so has Trend Micro. In a recent blog post, Trend Micro said it saw the former zero-day remote code vulnerability being used with PowerPoint.

"We recently observed a new sample (Detected by Trend Micro as TROJ_CVE20170199.JVU) exploiting CVE-2017-0199 using a new method that abuses PowerPoint Slide Show—the first time we have seen this approach used in the wild before," Trend Micro said.

Bottom line? Keep your head on a swivel, and your AV software updated.