A new zero-day vulnerability in Microsoft Word is allowing attackers to exploit systems to install malware. Cyber security researchers say the flaw allows different kinds of malware to be installed. Worryingly, the malware can be implemented through Word even on machines that have been fully patched.

Many zero-days that are targeted through documents are already patched. Unfortunately, this flaw does not rely on macros, which Office can usually detect and warn users. This vulnerability is deployed when an infected Word document is opened.

The Microsoft Word document is created to look legitimate and passed through an email. It downloads an infection in the form of a malicious HTML application from a server. This is designed to look like a Rich Text document file.

McAfee and FireEye researchers have reported on the problem. The HTML application downloads a malicious script that is activated on a PC. Because the installed malware is stealthy, it is almost impossible for a regular user to detect it.

FireEye says it has coordinated with Microsoft and determined the cause of the vulnerability:

“The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script.

 In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link”

The bug affects all versions of Microsoft Word and Office, including Office 2016 and Office 365 for Windows 10. Both researchers say they have observed the flaw since January. However, Microsoft says it will release a fix as part of its April Patch Tuesday roll out.

Previous Microsoft Word Vulnerability

Last month we discussed how a malicious email featuring an infected Word document is being used in a phishing scam. The DNSMessenger attack acts on PowerShell to infect a system using a file less method.

Researchers from the Cisco Systems Talos team. Called DNSMessenger, the attack targets Microsoft’s Word via a malicious document that is sent through an email phishing campaign.