Microsoft fixes 'critical' Office Word security flaw under active attack

Researchers have seen the exploit being used in a large-scale email campaign to distribute the Dridex malware.
Written by Zack Whittaker, Contributor

Microsoft has rolled out a patch for a previously undisclosed vulnerability in Microsoft Office, which if exploited could allow an attacker to install malware on fully-patched computers.

The company rolled out the fix as part of its regularly scheduled Patch Tuesday.


In its security advisory, Microsoft said the "critical"-rated bug could allow an attacker to take control of an affected system, such as install programs and creating new accounts with full user rights.

News of the vulnerability spilled out over the weekend.

Unlike some Office-related malware, attackers don't need to use macros. Instead, the vulnerability, which relates to the Windows Object Linking and Embedding (OLE) function, is triggered when a victim opens a trick Word document, which downloads a malicious HTML application from a server, disguised to look like a Rich Text document file as a decoy. The HTML application meanwhile downloads and runs a malicious script that can be used to stealthily install malware.

The vulnerability has been known about since early January, when security researchers observed attackers exploiting the flaw.

Microsoft said the bug affects all supported versions of Office and some versions of Windows.

Security firm Proofpoint also observed the exploit being used in a large-scale email campaign to distribute the Dridex malware, usually targeting banks and financial institutions, to several unnamed organizations primarily in Australia and elsewhere.

If exploited, the malware installs Dridex and connects the machine to a botnet, which the researchers dubbed "Botnet 7500" -- though, they did not specify what activities the botnet carries out.

The malware is said to have been responsible for stealing millions of pounds from UK bank accounts, and it has been kept up-to-date with the latest infection techniques.

Microsoft also fixed two other "critical"-rated bugs that it confirmed were under active attack, including an elevation of privilege vulnerability in Internet Explorer and another issue with Office.

March patches will be available through the usual update channels.

VIDEO: Most sophisticated mobile spyware returns with Android version

Editorial standards