Tips: If the macro is available to all Word document, it won’t be necessary to specify any part of Word document before running macro. Then click Run button at the top right side. Training end users on cybersecurity best practices and the danger of opening Office documents from unknown individuals. Select part of Word document you want macro applies to, and choose the appropriate macro in Macros dialog.
While a patch was released last year to address the vulnerability, Microsoft has taken further steps this Patch Tuesday by removing some of the functionality of Microsoft Equation Editor to prevent CVE-2017-11882 from being exploited.īusinesses can mitigate this attack in three main ways: The four emails intercepted by have the subject lines: So far, four email templates have been detected by SpiderLabs researchers, although more will almost certainly be used over the coming days and weeks.
The email campaign has been developed to target businesses. The purpose of the malware is to steal passwords from web browsers, email accounts and FTP servers. The VBScript unpacks a PowerShell script, which in turn downloads and runs the information-stealing malware. The OLE object opens the RTF file which uses the vulnerability to run a MSHTA command line, which downloads and runs an HTA file containing a VBScript. This campaign similarly triggers the downloading of a document – a Rich Text File (RTF) via an OLE object embedded in the Word document. Last year, security researchers were able to exploit the vulnerability to run a sequence of commands, including the downloading of files from the Internet. Microsoft Equation Editor is an application that allows the insertion and editing of complex equations in Office documents as OLE items.
Last year, Microsoft rated the code execution vulnerability as important rather than critical, but many security professionals disagreed and claimed the vulnerability was very dangerous as the bug could be exploited to run arbitrary code and the vulnerability was present in all Office versions. The bug has been present in Microsoft Office for the past 17 years. CVE-2017-11822 was patched by Microsoft last year, although companies that have not patched their systems recently will be vulnerable to this attack.ĬVE-2017-11822 is a vulnerability in Office Equation Editor.
The multi-stage infection process uses the CVE-2017-11822 Word vulnerability to install an information stealer. However, the use of Microsoft Word without macros means that even opening email attachments can see malware downloaded, if patches have not been applied.
Opening a Word document sent via email will not generate the usual warnings that macros must be enabled.Įmployees may have been warned to be wary of any emails containing attachments, and never to enable macros on documents received via email. While macros (and macro editing) will be disabled, you can still choose to run a macro by clicking a rather obvious button that will appear above the document-once it is loaded-and just below the ribbon.A new malware campaign has been detected that uses Microsoft Word without macros. If you routinely open documents from others who may be oblivious to such code, then you'll probably want to rerun the same steps and, in step 4, choose a more restrictive option such as Disable All Macros with Notification. If you are confident in your ability to not open any documents containing malicious code, then you are fine. Now when you open the problem document, you should be able to edit the macros.Ī word of caution: These steps basically let any macros run on a system. Click the Enable All Macros radio button.(This option should be selected by default.) (See Figure 1.) Make sure Macro Settings is selected at the left of the dialog box.Word displays the Trust Center dialog box. Click the Macro Security tool, in the Code group.Display the Developer tab of the ribbon.This is done by going to the Trust Center. The other thing you'll want to check is the security settings on your system. Only then will you be able to modify the macros in the template. If the macros are not stored in a document but are, instead, in a template, then you'll want to load your template directly and save it back out (again, using Save As) as a macro-enabled template. If it is in a DOCM file, then you will be able to edit your macros. If you save it as a DOCX file, the macros will be stripped from it. If the macros are stored in a document, make sure that you save the document (use Save As) as a DOCM file. The first thing you'll want to do is to figure out where your macros are stored. There are a few things to check, Patricia. She wonders what she can do to edit her macros. However, the Edit button in the Macros dialog box is grayed out. Patricia recently upgraded from Word 2007, and some of her macros need editing.