An attack leveraging a recently patched Microsoft Office zero-day vulnerability (CVE-2017-11826) to deliver malware has been observed in the wild.
HOW DOES IT WORK?
The vulnerability is a memory-corruption bug affecting Microsoft Office 2007 products and later. Leveraging the vulnerability requires the attacker to convince the victim to open a specially crafted file using a vulnerable version of Microsoft Office. This can be done via email (malspam) or a web-based attack (for example, hosting the file on compromised website).
The attack was observed initiating with an RTF file that, when opened, triggers a remote arbitrary code execution by using Microsoft Word tags and corresponding attributions to carry out the payload delivery.
Following this attack, an attacker can take control of a system and abuse it by creating new accounts with full rights, or manipulating and deleting data. As reportedly observed by security firm Qihoo 360, attackers exploited the vulnerability to utilize a remote Trojan and steal sensitive data.
HOW DO YOU STOP IT?
Palo Alto Networks Traps advanced endpoint protection successfully prevents this attack at the very beginning by averting the use of return-oriented programming, or ROP, and protecting against the use of constant addresses from DLLs not compliant with address space layout randomization, or ASLR, thus blocking the execution of any malicious payload. No updates are needed to prevent this attack with Traps. In fact, it would have been prevented years before it ever became public.