New zero day exploit

[Trouble]

Discovered this weekend a new exploit involving MS Word / .rtf files (not sure who uses that format in word any more, but thought I would pass it along anyway.
https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html

 

[Tim Locke]

Also in ArsTechnica

 

[Regedit32]

So assuming Microsoft patch this exploit, the next question is will they offer that patched support to earlier editions of Microsoft Office, or only for those investing in the latest edition.

 

[Trouble]

Good question.
I would assume that as long as the particular Office product has not reached "End of Life Support" that it would still receive security updates.
As best I can determine Office 2007 SP3 is on the chopping block for October 31st this year.

 

[Regedit32]

Yes that is what I'd expect them to do.

However, given this exploit presumably has existed for far longer than Office 2007, I personally feel they are obliged to provide security support to all Editions affected.

I regularly see people providing me documents created in earlier editions of Office hence the concern.

 

[Trouble]

I really couldn't say.
The article specifically mentions "winword.exe" and then specifically mentions an "RTF file" (rich text format).

The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.

I have some additional concerns regarding the native WordPad application which has been around practically forever and......
I believe that .rtf (rich text format), is still the default save extension for that product.

 

[Regedit32]

That's a good point Trouble.

I'm hoping when the patch is released some more information on the actual exploit will be made available so all antivirus companies can at least provide a measured form of protection against it.

Until I hear differently I'll just have to insist those providing me word files use the doc or docx extension and hope the exploit cannot travel from a rtf file to another format if the original file saved as another extension was rtf.

 

[Data]

Has this not been patched over patch Tuesday already?

 

[Data]

I PM Trouble with exploit details, despite it being available in some reputable and public websites, I thought best not to let it loose around here, you never know what some kids will do)

The patches for this exploit were released https://www.catalog.update.microsoft.com/Search.aspx?q=KB4014793 that information is available at https://support.microsoft.com/en-gb/help/4014793/title

Ms offer more information about patches at https://portal.msrc.microsoft.com/en-US/security-guidance (must accept terms of service to view)

Talk about convoluted methods, I believe all information relevant should be readily available not hidden in sub-levels