Critical zero-day vulnerability discovered in Microsoft Office

Security researchers have discovered a critical vulnerability in the word processing program Microsoft Word. This allows attackers to create crafted Word files that automatically download and execute malicious code from the Internet. So far, there is no protection or updates from Microsoft. However, only older versions of Microsoft Office appear to be affected.

Zero Day vulnerability in Microsoft Office

Security researchers at nao_sec have reported that there is currently a dangerous zero-day vulnerability in Microsoft Office that has apparently not yet been patched. Disabling macros does not seem to help. Microsoft has not yet released an update.

Click here to display content from twitter.com

Always display content from twitter.com

However, only older Office versions seem to be affected. The current version of the Microsoft Office suite, as well as the packages from the Insider Channel, apparently prevent the exploit from being used. The “protected view” can also help when opening the document. However, anyone who deactivates this is at the mercy of the attacks.

Using a Word document, attackers can load and execute malicious code from the Internet. Local administrator rights are also not necessary to exploit the zero-day exploit.

On the positive side, only a few attacks have been recorded so far, according to the researchers. Users in Belarus were mainly affected.

Which function is affected?

Affected by the zero-day vulnerability is primarily the remote template function of Microsoft Word, which is used to download external links as HTML files from the network. If these are opened using ms-msdt to execute PowerShell code.

In a Twitter thread, IT security researcher Kevin Beaumont explains what this is all about. Using ms-msdt, for example, Microsoft logs are also loaded directly from emails into Outlook.

On May 29, he published a summary of the issue in which he goes into detail about the problem. Here he sees the biggest problem in the fact that Microsoft Word executes the code with the help of the support tool msdt, even if macros are disabled.

Although the protected view provides a remedy here, attackers can easily circumvent this by saving the document in RTF format, which would then even be executed without having to open the document in the first place – via the preview tab in Explorer.

According to Beaumont, he was able to run the script in Windows 10 without local admin rights with Markos, Windows Defender and Office 365 Semi-Annual Channel disabled to open the calculator as a test.

The vulnerability continued to exist in Office 2013 and 2016, which is why he sees a problem primarily with many companies still using older versions of Office. At least the good news: “With the Insider and current version of Office, I couldn’t run the script – which indicates that Microsoft did something or at least tried to fix the vulnerability without documenting it.”