Word zero-day affects all versions of Office and Windows


Somebody at McAfee jumped the gun. Last Friday night McAfee disclosed the inner workings of a particularly pernicious rigged Word document attack — a zero-day involving a linked HTA file. On Saturday FireEye — citing a “recent public disclosure by another company” — gave more details, and revealed that it had been working on the problem with Microsoft for several weeks.

It looks like McAfee’s public disclosure forced FireEye’s hand prior to Microsoft’s anticipated fix tomorrow.

The exploit appears in a Word doc attached to an email message. When you open the doc (an RTF file with a .doc name extension), it has an embedded link that retrieves an HTA file. (An  is usually wrapped around a VBScript or JScript program.)

Apparently all of that happens automatically, although the HTA file is retrieved via HTTP, so I don’t know if Internet Explorer is a key part of the exploit. (Thanks  and on AskWoody.)

so we suggest everyone ensure that Office Protected View is enabled.

Long-time security guru a fix is coming in tomorrow’s Patch Tuesday bundle.


Security researchers haven’t reached a consensus on exactly what “a reasonable amount of time” means to allow a vendor to fix a vulnerability before full public disclosure. Google of critical security vulnerabilities, and an even shorter seven days for critical vulnerabilities under active exploitation. HackerOne, a platform for vulnerability and bug bounty programs, , which can be extended to 180 days as a last resort. Other security researchers, such as myself, opt for 60 days with the possibility of extensions if a good-faith effort is being made to patch the issue.

The timing of these posts brings into question the motives of the posters. , up front, that its information was just one day old:

Yesterday, we observed suspicious activities from some samples. After quick but in-depth research, this morning we have confirmed these samples are exploiting a vulnerability in Microsoft Windows and Office that is not yet patched.

Responsible disclosure works both ways; there are solid arguments for shorter delays and for longer delays. But I don’t know of any malware research company that would assert that immediate disclosure, prior to notifying the vendor, is a valid approach.

Obviously, FireEye’s protection has covered this vulnerability for weeks. Just as obviously, McAfee’s for-fee service hasn’t. Sometimes it’s hard to tell who’s wearing a white hat.

Discussion continues on the .