Sometimes what should be dead never really dies. An old vulnerability in Microsoft Office, patched in November 2017, is still used successfully to attack Windows systems that were never properly updated.
Unfortunate victims can get infected simply by opening malicious documents, which can arrive as email attachments or as downloads. Microsoft on Friday (June 7) tweeted a series of warnings from its Twitter Security Intelligence feed that an “active malware campaign” was sending malicious emails containing corrupted files to users in Europe.
The command and control server for this campaign is now offline, but it would be easy for attackers to resume operations with a new server. Other groups have exploited the same Office flaw in the past and it will likely be part of an attacker’s toolkit for the foreseeable future.
To ensure that you are immune to this flaw, make sure your Windows 7, 8.1, or 10 machines are fully patched. Walk into windows update and check when your latest updates were run; If it was before November 2017, you are still vulnerable. Microsoft Office 2019 shouldn’t be vulnerable, but older versions of Office can be.
MORE: Best Windows Antivirus
The flaw, known only by the name of the catalog. CVE-2017-11882has to do with the way that Office handles Rich Text Format (RTF) files and translates certain code snippets using a component called the Equation Editor.
If a user on an unpatched system opens a malicious RTF file in Microsoft Word, “the RTF file downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the [malware] payload, ”Microsoft explained on Friday.
“The backdoor payload is trying to connect to a malicious domain” which, fortunately, is “currently down.”
The bug dates back to 2000 and the first edition of Equation Editor, which allowed users to build scientific and mathematical formulas in Word. A different equation editor was introduced in Office 2007, but the old equation editor was retained for compatibility reasons.
Microsoft’s patch of CVE-2017-11882 in November 2017 revealed to the world the existence of the long-standing flaw in Equation Editor, and attackers started using it to target unpatched systems.
As a result, Microsoft removed the Equation Editor from currently supported versions of Microsoft Office (Office 2007, 2010, 2013 and 2016) with a later patch in January 2018.