New zero day exploit

Regedit32

Moderator
Joined
Mar 4, 2016
Messages
3,617
Reaction score
1,140
So assuming Microsoft patch this exploit, the next question is will they offer that patched support to earlier editions of Microsoft Office, or only for those investing in the latest edition.
 

Trouble

Noob Whisperer
Moderator
Joined
Nov 19, 2013
Messages
13,411
Reaction score
2,319
Good question.
I would assume that as long as the particular Office product has not reached "End of Life Support" that it would still receive security updates.
As best I can determine Office 2007 SP3 is on the chopping block for October 31st this year.
 

Regedit32

Moderator
Joined
Mar 4, 2016
Messages
3,617
Reaction score
1,140
Yes that is what I'd expect them to do.

However, given this exploit presumably has existed for far longer than Office 2007, I personally feel they are obliged to provide security support to all Editions affected.

I regularly see people providing me documents created in earlier editions of Office hence the concern.
 

Trouble

Noob Whisperer
Moderator
Joined
Nov 19, 2013
Messages
13,411
Reaction score
2,319
I really couldn't say.
The article specifically mentions "winword.exe" and then specifically mentions an "RTF file" (rich text format).
The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script. In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link.
I have some additional concerns regarding the native WordPad application which has been around practically forever and......
I believe that .rtf (rich text format), is still the default save extension for that product.
 

Regedit32

Moderator
Joined
Mar 4, 2016
Messages
3,617
Reaction score
1,140
That's a good point Trouble.

I'm hoping when the patch is released some more information on the actual exploit will be made available so all antivirus companies can at least provide a measured form of protection against it.

Until I hear differently I'll just have to insist those providing me word files use the doc or docx extension and hope the exploit cannot travel from a rtf file to another format if the original file saved as another extension was rtf.
 

Data

Chief Operations Officer
Joined
Apr 13, 2017
Messages
427
Reaction score
81
Has this not been patched over patch Tuesday already?
 

Data

Chief Operations Officer
Joined
Apr 13, 2017
Messages
427
Reaction score
81
I PM Trouble with exploit details, despite it being available in some reputable and public websites, I thought best not to let it loose around here, you never know what some kids will do)

The patches for this exploit were released https://www.catalog.update.microsoft.com/Search.aspx?q=KB4014793 that information is available at https://support.microsoft.com/en-gb/help/4014793/title

Ms offer more information about patches at https://portal.msrc.microsoft.com/en-US/security-guidance (must accept terms of service to view)

Talk about convoluted methods, I believe all information relevant should be readily available not hidden in sub-levels
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top