14 DAY TRIAL // A new zero-day security vulnerability has been discovered in Internet Explorer, allowing cybercriminals to infect a Windows host using a malicious Office document.
The flaw was discovered by Chinese security firm Qihoo 360, who says in an in-depth analysis that it’s already being used out in the wild against Windows targets.
According to their findings, it’s possible to exploit the vulnerability using Office documents that come with embedded Internet Explorer pages, loading the malicious code from a remote server and using advanced techniques to avoid detection.
Security researchers explain that a successful attack is based on a more complex approach that uses a public method to bypass UAC (User Account Control), as well as file steganography and memory reflection loading to make sure it can compromise the target.
Don’t open Office documents from sources you don’t trust
At this point, it looks like all versions of Internet Explorer are vulnerable to attacks, no matter the Windows version, and documents launched with any Office version trigger the exploit. Both Windows 10 and Office 2016 are said to be vulnerable.
Compromising a host is possible even if targets aren’t using Internet Explorer, as the browser engine is also bundled into other apps running on Windows.
Qihoo 360 says the bug has already been reported to Microsoft, but there’s no word on a patch just yet. Microsoft will ship a new batch of security updates on Patch Tuesday in early May, but depending on the number of attacks aimed at this flaw, an out-of-band fix could land in the meantime.
In order to remain protected until this update becomes available, users are recommended to avoid opening Office documents coming from untrusted sources. Because no payloads are bundled into the malicious files used during the attack, antivirus solutions do not flag files as infected.