Hackers Can Control Your PC With This 17 Year Old Microsoft Word Bug

With the growing size of software every year, it’s entirely possible that some unattended vulnerability can allow hackers to take advantage of the software and compromise computers.

The case of MS Office is no different. A recently patched 17-year-old remote code execution bug (CVE-2017-11882) is known to have acted as the Nitrous boost for the Cobalt malware which uses the famous tool Cobalt Strike used for penetration testing.

The bug exists in MS Office when the software fails to properly handle the objects in memory. If a user has admin rights, the scope of the attack worsens as an attacker can issue commands and take control of the machine. The list of affected Microsoft products include:

  • Office 2016 (32-bit & 64-bit)
  • Office 2013 SP1 (32-bit & 64-bit)
  • Office 2010 SP2 (32-bit & 64-bit)
  • Office 2007 2007 SP3

The security patch was made available to the users earlier this month. According to Fortinet, the actors were quick to take advantage of the vulnerability and tried to fulfill their deeds.

Fortinet has reported the Cobalt malware campaign that targeted Russian speakers with a spam mail, including an RTF document containing the malicious code, notifying about some policy changes in Visa payWave service.

Cobalt malware ms office 1
Fake notification mail

The RTF document was password protected (credentials provided in the mail) to prevent it from being detected. An archive file containing the body of the email was also present in the email.

cobalt malware ms office 2
Attached document

One thing that looks odd and can be used to spot something fishy is when the document is opened, it runs a PowerShell script and downloads Cobalt Strike tool to gain control of the system.

The security firm notes that the attackers used “trusted Microsoft Windows tools to run client-side scripts, which can be overlooked by traditional AV products.” They were able to load the Cobalt module with writing it as a physical file.

Users are recommended to install the security update to reduce the risk of such attack vectors.

Also Read: ALERT: Anyone Can Access Your Mac As Root With No Password — Here’s How To Fix
Aditya Tiwari

Aditya Tiwari

Aditya likes to cover topics related to Microsoft, Windows 10, Apple Watch, and interesting gadgets. But when he is not working, you can find him binge-watching random videos on YouTube (after he has wasted an hour on Netflix trying to find a good show). Reach out at [email protected]
More From Fossbytes

Latest On Fossbytes

Find your dream job