Back to Top

How to Patch Microsoft Office Vulnerabilities

I assume that you use Microsoft Office at least a few times per week, and so do I! But did you know that your computer may get infected by simply opening a standard document file?

Microsoft has recently patched a serious vulnerability, which has affected all its Office versions, including the most recent one - Office 365. And it's quite scary to find out that this huge security hole has been around for almost two decades, without being discovered.

The Memory Corruption Vulnerability, aka CVE-2017-11882, allows remote code execution through a Microsoft Office component which manages the OLE object(s) that can be embedded in a document. Due to poor memory management, the component will allow a hacker to execute malware on the target computer.

The attacker can create a document which includes several OLEs (think fractions, etc.) and after you open it, he or she will be able to perform the desired actions: download a piece of malware from a server, run it, and so on.

It is true that Microsoft has already fixed this vulnerability, so if your computer is set to receive software patches and updates automatically, it should be safe now. However, to be on the safe side, it's best to enable Protected View, which will open your files in read-only mode. Then, if you determine that the file is safe, you can enable editing. This will also prevent old, unpatched ActiveX controls and (most of all) macros from running.

Macros are a series of commands that can help people save time. As you may already know, Microsoft Office supports a script-based programming language called VBA – Visual Basic for Applications. You can use macros to merge data from two different tables, for example. Or, you can have a slightly more complex macro which can translate all the desired documents on the fly! However, macros can also be used for evil purposes. They have the power to install malware in your computer, for example.

Most cybercriminals will send infected .doc or .xls files through mail. And the email subject will be written in a way which entices the unsuspecting users to download and open the attachment. Once that the infected file is opened, it will start executing the instructions which have been embedded into it. Often, the infected file will copy itself to many other documents, which the goal of making the malware removal process almost impossible.

Here's a real-life example: called "an ever-evolving threat" by security researchers at Kaspersky Lab, the Dridex Banking Trojan targets mostly European financial institutions, and it does its job really well, managing to steal tens of millions of pounds from U.K banks so far. The first version of the malware was released in 2011; however, new versions of Dridex are released regularly, utilizing advanced programming techniques, which allows them to bypass Windows' User Account Control check.

So, how can you protect a computer from these evil macros? You could take the extreme measure of disabling macros, but this isn't always an option, especially for people and companies which need to use macros that simplify their tasks on a daily basis. The next best thing is to configure "Trusted Locations", which can be found in the "Trust Center Settings" menu. This way, only the files that have been copied to one of the trusted locations (trusted folders) can be opened.