April 18, 2017

[ALERT] You want to fix this Microsoft Word 0-day threat ASAP

As continued efforts to keep you in the know about issues that could affect you, I wanted to let you know of a new threat that you need to make sure you are protected against as soon as possible. Researchers from Proofpoint (a security firm) found a critical 0-day threat known as CVE-2017-0199 in Microsoft Word that allowed booby-trapped Dridex phishing attacks be sent to millions of employees claiming to be a PDF sent to them by their company photocopier.

This one is particularly bad because it bypasses exploit mitigations built into Windows, doesn’t require your employee to enable macros, works even against Windows 10 which is Redmond’s most secure OS yet, and this exploit works on most or all Windows versions of Word.

Dridex used to rely on macro-infected documents attached to emails and use social engineering to trick the user to open the attachment and click the macro button. This time around they were pretty nimble and leveraged a zero-day in Word. Proofpoint’s technical analysis said:

“Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from “”. [device] may be “copier”, “documents”, “noreply”, “no-reply”, or “scanner”. The subject line in all cases read “Scan Data” and included attachments named “Scan_123456.doc” or “Scan_123456.pdf”, where “123456” was replaced with random digits. Note that while this campaign does not rely on sophisticated social engineering, the spoofed email domains and common practice of emailing digitized versions of documents make the lures fairly convincing.”

What To Do About It

1) Patch. Fortunately, last Tuesday Microsoft released its regular batch of security patches – including a fix for this nasty Office zero-day vulnerability CVE-2017-0199. Turns out that this wasn’t the only thing needed patching. An elevation of privilege vulnerability in Internet Explorer (CVE-2017-0210) that would allow an attacker to convince a user to visit a compromised website was also fixed. So make sure you have installed the April 2017 Security Update for your computers operating systems.

2) If you are not sure how to patch your systems, please contact us so we can help!

3) Find out if your domain can be spoofed. One of the first things hackers try is to see if they can spoof the email address of someone in your own domain? Once they do that, they can launch a spear phishing attack on your organization. This is a free service with our monthly Managed Services program!

As always, stay safe out there!

Post Credit: KnowBe4

Leave a Reply

Your email address will not be published. Required fields are marked *