A critical zero-day vulnerability, CVE-2017-0199, in the Object Linking and Embedding (OLE) functionality in Microsoft Office is reportedly being exploited via Microsoft Office attachments in phishing emails that, once opened, result in the download of payloads for various malware families and allow remote code execution on the victim machine. The vulnerability is currently bypassing memory-based mitigations developed by Microsoft; however, Microsoft released a patch for this vulnerability in this month's “Patch Tuesday” updates and, according to McAfee, the attack cannot bypass Microsoft Office’s “Protected View.” The exploit involves a hacker emailing an Office document containing an embedded OLE2link object. If a user opens the document, a remote server returns a malicious HTML Application (HTA) file, disguised as a Rich Text Format (RTF) file. The Microsoft HTA file executes the malicious script, which downloads additional payloads and loads a separate document to distract the user. Microsoft revealed in its security advisory that WordPad is also affected by this flaw if it is used to open the malicious Office document. Security researchers have reported that cybercriminals are currently exploiting the vulnerability, using it to spread theDridex trojan, LatentBot trojan, and Godzilla downloader, among others. Additionally, according to FireEye, the FinSpy module, a hacking toolkit sold by “Gamma Group,” is exploiting the vulnerability in an espionage campaign targeting pro-Russian separatists in Ukraine.
The NJCCIC highly recommends all Microsoft Office users and administrators apply the available security update as soon as possible and enable Office’s “Protected View." Additionally, users are reminded to avoid opening Microsoft Office files from unknown senders, and administrators should review US-CERT’s Vulnerability Note VU#9921560 and Microsoft's security advisory.