MS Word Critical Flaw to be Addressed Today Via Patch Tuesday

Please be advised that Microsoft plans to release an update for a critical Word flaw today, as part of Patch Tuesday. It is recommended that this patch is applied as soon as it becomes available. This vulnerability allows the installation of malware, in this case a banking trojan dubbed Dridex, when a target/user opens a maliciously-crafted MS Word email attachment. This vulnerability is known to affect all Windows versions of Word. The exploit has not been proven or disproven to work on Mac versions of Word.

Dridex infused Word documents typically arrive as Rich Text Format (RTF) attachments to emails purporting to be from from  “device”, “copier” “documents”, “no-reply” or “scanner”. In all known cases, the subject line of the emails reads “Scan Data”. Opening the  documents attached to these emails will install a Dridex bot on your system that is known to capture banking information. It has been observed that this exploit does not execute when the document is viewed in a Microsoft view known as “Protected View”, which is a read-only mode in which most editing functions are disabled. However, if you opt to print the document or “Enable Editing” in Protected View, the exploit will run.

Screenshot showing the Enable Editing button in the Protected View of MS Word. This button appears at the top right of the Word screen in a yellow bar.

A sample Dridex email is shown below:

Screenshot of an email message with a subject of "Scan Data". Appears to attach a MS Word document entitled "Scan" with a file size of 37 KB. The body of the messages states "Number of pages: 3" and incorrectly states the attachment type as PDF.

For more information, please see:

https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day

https://arstechnica.com/security/2017/04/microsoft-word-0day-used-to-push-dangerous-dridex-malware-on-millions/