Zombie Flaw Hits Microsoft Office Users: Protect Yourself Now

Sometimes what should be dead never truly dies. An ancient vulnerability in Microsoft Office, patched in November 2017, is still being successfully used to attack Windows systems that have never been properly updated.

Hapless victims can become infected simply by opening malicious documents, which can arrive as email attachments or as downloads. Microsoft on Friday (June 7) tweeted out a series of warnings from its Security Intelligence Twitter feed that an "active malware campaign" was sending malicious email messages containing corrupted files to users in Europe.

The command-and-control server for this campaign is now offline, but it would be simple for the attackers to resume operations with a new server. Other groups have exploited the same Office flaw in the past, and it's sure to be part of an attacker's toolkit for the foreseeable future.

To make sure you're immune to this flaw, make sure your Windows 7, 8.1 or 10 machines are fully patched. Go into Windows Update and check when your latest updates were run; if it was earlier than November 2017, you're still vulnerable. Microsoft Office 2019 should not be vulnerable, but older versions of Office may be.

The flaw, known only by the catalog name CVE-2017-11882, has to do with the way Office handles Rich Text Format (RTF) files and translates certain bits of code using a component called Equation Editor.

If a user of an unpatched system opens a malicious RTF file in Microsoft Word, "the RTF file downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the [malware] payload," Microsoft explained Friday.

"The backdoor payload then tries to connect to a malicious domain" that, fortunately, is "currently down."

The bug dates all the way back to 2000 and the first edition of Equation Editor, which let users construct scientific and mathematical formulas in Word. A different equation editor was introduced in Office 2007, but the older Equation Editor was kept on for compatibility purposes.

Microsoft's patch of CVE-2017-11882 in November 2017 revealed to the world the existence of the longstanding flaw in Equation Editor, and attackers began using it to target unpatched systems.

As a result, Microsoft removed Equation Editor from then-supported versions of Microsoft Office (Office 2007, 2010, 2013 and 2016) with a subsequent patch in January 2018.

This article originally appeared on Tom's Guide.

Windows 10 Security and Networking