Microsoft® recently acknowledged and patched a vulnerability in Microsoft Word and WordPad, CVE-2017-0199, that allows attackers to execute malicious Visual Basic script with PowerShell commands when users open an RTF with an embedded exploit. When the script is executed, it can download and deploy a malicious payload and display decoy documents to the user.
This vulnerability is concerning as it allows for execution of potentially malicious code without prompting the user to enable macros or with any other prompts. FireEye has reported that exploitation of this vulnerability has been detected as far back as January, 2017.
For more information and to view campaigns leveraging CVE-2017-0199, see: https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html and https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html
For Microsoft’s guidance and details on this vulnerability, see https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
ACA Aponix Guidance
ACA Aponix recommends taking the following precautionary measures:
- Ensure critical Microsoft patches are applied in a timely fashion, including the patch for this specific vulnerability.
- Consider blocking inbound RTF extension files in the interim if RTF files are not typically used in day-to-day business.
- Warn your staff about this attack and train them how to identify and prevent phishing and spear-phishing attacks.
- Do not open attachments included in unsolicited emails.
- Check links contained in emails by hovering over them before clicking.
- Make sure antivirus and anti-spyware is up-to-date.
If you have any questions, please contact your ACA Aponix consultant or email us at email@example.com.