Microsoft has rolled out a fix for the zero-day vulnerability in its Word productivity app that came to light a few days ago, when revealed by McAfee. This new zero-day exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10, and we recommend all users to download the fix.
The fix is a part of the regular Tuesday patch that Microsoft rolls out, and the company's quick response proves how critical the bug was - in fact, it had been actively exploited, with a fresh report by Proofpoint of more exploits coming in as well.
In its advisory, Microsoft notes, "A remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting the way that Microsoft Office and WordPad parses specially crafted files, and by enabling API functionality in Windows that Microsoft Office and WordPad will leverage to resolve the identified issue."
As we mentioned, McAfee first highlighted the exploit, and in its research report, it said that it discovered the exploit in action in late January. The samples collected by the team saw the exploit organised as Word files (more specially, RTF files with ".doc" extension name). All the user requires to do is open or preview the specially crafted file with an affected version of Microsoft Office or WordPad.
In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open the file, Microsoft notes. We also recommend users to observe caution before opening Word files from untrusted sources.