Microsoft patches Word against ‘Dridex’ hack that targeted Australian users


Microsoft Corp. has issued a patch to its word processing software following the discovery of a new kind of attack that allowed hackers to install malware on a victim’s computer.

The exploit, dubbed Dridex when it was discovered by McAfee LLC in late March, is distributed via a phishing email campaign that attempts to trick people into clicking on a dodgy Word document that is pretending to be an invoice.

When a victim clicks on the attached Word document, the malware takes advantage of a logic bug in the Windows Object Linking and Embedding feature of Microsoft Office that allows hackers not only to embed malicious code inside of a Word document but also to have the code automatically executed when the file is open. Once through the front door, the malicious script contacts an external server to download a HTA file that contains malicious VBScript code which gives the hackers the ability to control the infected computer.

Interestingly, the hack has primarily targeted users in Australia, with the emails being sent to millions of recipients across numerous organizations, according to security firm Proofpoint Inc. “Note that while this campaign does not rely on sophisticated social engineering, the spoofed email domains and common practice of emailing digitized versions of documents make the lures fairly convincing,” the company noted.

The attack is considered to be grievous at high levels. The U.S. Computer Emergency Readiness Team, part of the Department of Homeland Security, issued its own advisory noting that “The Microsoft OLE2Link object can open application data based on the server-provided MIME type, which can allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.”

In response to an inquiry by Forbes, Microsoft responded to widespread reporting of the vulnerability by saying, “This was addressed in the April security update release today, April 11, 2017. Customers who applied the update, or have automatic updates enabled, are already protected.”

While it is a positive that Microsoft has released a patch, the attack affects all versions of Word, meaning that users who don’t update their copies or have older versions of Word that are no longer supported by Microsoft remain unprotected.

Image: doos/Flickr