A quick check-in on the Word vulnerability

MSRC / By / June 20, 2019

Hi everyone, Stephen Toulouse here again.  I wanted to catch you up on where we’re at with our investigation of the Word vulnerability. 


 


First off on the vulnerability itself: I want to reiterate we’re hard at work on an update.  The attack vector here is Word documents attached to an email or otherwise delivered to a user’s computer.  The user would have to open it first for anything to happen.  That information isn’t meant to say the issue isn’t serious, it’s just meant to clearly denote the scope of the threat.


 


Now, we’ve received singular reports of attacks and have been working directly with the couple of customers thus far affected.  In analyzing the malware we’ve added detection to the Windows Live Safety Center, and we’ve passed all that information over to our antivirus partners.  But in breaking down the current malware we discovered some commonality to the current attack.  The attack we’ve seen is email based.  The emails tend to arrive in groups, they often have fake domains that are similar to real domains of the targets, but the targets are valid email addresses. 


 


Currently two of the subject lines we have seen are: 


 


Notice


RE Plan for final agreement


 


The attack we have seen so far requires admin rights, so limitations on user accounts can help here.  I want to repeat that customers who believe they are affected can contact Product Support Services.  You can contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location:


http://support.microsoft.com/security.


 


So far, this is a *very* limited attack, and most of our antivirus partners are rating this as “low”.  But we’re working to investigate any variants we might see to make sure detection is out there, as well as working on the update to address the vulnerability.


 


S. 


 


PS: Michael Howard recently wrote a great article for not running as admin.  It can be found here:  http://msdn.microsoft.com/security/securecode/columns/default.aspx?pull=/library/en-us/dncode/html/secure01182005.asp


 


*This posting is provided “AS IS” with no warranties, and confers no rights.*