Microsoft® recently acknowledged and patched a vulnerability in Microsoft Word and WordPad, CVE-2017-0199, that allows attackers to execute malicious Visual Basic script with PowerShell commands when users open an RTF with an embedded exploit. When the script is executed, it can download and deploy a malicious payload and display decoy documents to the user.
This vulnerability is concerning as it allows for execution of potentially malicious code without prompting the user to enable macros or with any other prompts. FireEye has reported that exploitation of this vulnerability has been detected as far back as January, 2017.
For more information and to view campaigns leveraging CVE-2017-0199, see: https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html and https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html
For Microsoft’s guidance and details on this vulnerability, see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
ACA Aponix recommends taking the following precautionary measures:
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.