It’s been a crazy week. Last Monday we learned about the vulnerability that uses a booby-trapped Word document attached to an email message to infect Windows PCs. Then, on Friday, came the collectively identified with their leaker, Shadow Brokers, that appear to originate with the U.S. National Security Agency.
In both cases, many of us believed the sky was falling on Windows: The exploits touch all versions of Windows and all versions of Office. Fortunately, the situation isn’t as bad as was first thought. Here’s what you need to know.
How to protect yourself against the Word zero-day
As I explained last Monday, the when you open an infected Word document attached to an email. The attack takes place from inside Word, so it doesn’t matter which email program or even which version of Windows you’re using.
In a twist I’ve never seen before, subsequent research into the exploit revealed it was first used by nation-state attackers but was then incorporated into garden-variety malware. Both and reported that the exploit was originally used in January to hack Russian targets—but the same code snippet turned up in a Dridex banking malware email campaign from last week. Exploits aimed at the spook set rarely get unleashed on the world at large, but this one did.
But be of good cheer. I’m seeing verification from all over the web—including my own —that you can avoid infection by sticking with Word’s Protected View mode (in Word, choose File > Options > Trust Center > Trust Center Settings and select Protected View).
With Protected View enabled, Word doesn’t act on any links that might set off malware from files you retrieve from the internet, such as from email and websites. Instead, you get a button called Enable Editing that lets you fully open the opened Word file. You would do that only for a Word document you trust, because if you click Enable Editing for an infected Word file, some kinds of malware fire automatically. Still, when in Protected View, Word only shows you a “viewer” style image, so you have a chance to review the document in read-only mode before deciding whether it is safe.
I suggest you check out any Word document you get via email before you open it in Word. Email clients like Outlook (on all platforms, including Outlook for Web) and Gmail let you preview common file formats, including Word, so you can assess files’ legitimacy before you take the potentially dangerous step of opening them in Office. Of course, you still want to enable Protected View mode in Word even if you first preview a document in your email client—better to have more protection than less.
. In other words, the fixes nearly all the exploits in Windows 7 and later. But Windows NT and XP users won’t get any fixes because their Windows versions are no longer supported; if you run NT or XP, you are vulnerable to the NSA hacks Shadow Brokers unveiled. The status of Windows Vista PCs is still open to debate.
Bottom line: If you have last month’s patch installed, you’re fine. According to the article, that includes any of these KB numbers:
- 4012598 MS17-010: Description of the security update for Windows SMB Server; March 14, 2017
- 4012216 March 2017 Security Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2
- 4012213 March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2
- 4012217 March 2017 Security Monthly Quality Rollup for Windows Server 2012
- 4012214 March 2017 Security Only Quality Update for Windows Server 2012
- 4012215 March 2017 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1
- 4012212 March 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1
- 4013429 March 13, 2017—KB4013429 (OS Build 933)
- 4012606 March 14, 2017—KB4012606 (OS Build 17312)
- 4013198 March 14, 2017—KB4013198 (OS Build 830)
Microsoft says none of the other three exploits—EnglishmanDentist, EsteemAudit, and ExplodingCan—runs on “supported platforms,” meaning Windows 7 or later and Exchange 2010 or later.
Discussion and conjecture continues on the .