Microsoft patches Office zero-day used to spread FinSpy surveillance malware

The malware, often used by nation states, exploits a flaw in Office, and it's known to have targeted Russians.
Written by Zack Whittaker, Contributor

Protecting the Core: Microsoft bug detectors offered bigger reward

Microsoft has patched a security vulnerability in Office, which researchers say has been exploited in the wild to target Russian-speaking users with a surveillance tools.

FireEye researchers, who found the previously undisclosed (a so-called "zero-day") flaw, said in a blog post Tuesday that the malware is served posing as a Rich Text document file that, once opened, would inject and executes malicious code.

The code eventually launches a FinSpy payload, which is associated with Germany-based firm Gamma Group, a firm that carries out legal intercepts for surveillance and conducting espionage.

The company, which sells almost exclusively to nation state hackers, runs a near-constant, cat-and-mouse game to defeat the security in the products of major companies, like Microsoft and Apple.

In 2014, WikiLeaks revealed that several major governments -- including several oppressive states -- were on the FinFisher surveillance suite customer list.

FireEye said the attacker, who isn't known but is likely a nation state actor, may have began as early as July, suggesting the original flaw was only recently discovered.

"These exposures demonstrate the significant resources available to 'lawful intercept' companies and their customers," wrote researchers Genwei Jiang, Ben Read, and Tom Bennett.

In a bulletin, Microsoft rated the vulnerability as "important," and it confirmed that all supported versions of Windows, including its server operating systems, are vulnerable.

Microsoft fixed an additional 81 separate vulnerabilities in its monthly round-up of security patches.

Editorial standards