Microsoft Office has been frequently bashed for its security: a huge number of vulnerabilities were found in the suite of Office apps over the years, and many of them were critical. Microsoft is continuously working on improving the security and stability of Office apps and delivers updates for them as frequently as possible. But it seems not all of the vulnerabilities can be fixed right away. A recent report from a security research firm, FireEye, reveals that users may still be attacked with a simple RTF-file opened in Microsoft Word.
Hackers can send a special RTF-file to any user, which will execute a Visual Basic script when its opened in Word, allowing execution of the harmful code. The said attack method is already in use by criminals for a few weeks now and Microsoft is aware of its existence.
McAfee, the security firm best known for its anti-virus products, has also discovered this vulnerability and calls it a "logical bug":
The successful exploit closes the bait Word document, and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim’s system.
The cause of the issue, according to researchers, is hidden in Microsoft's Object Linking and Embedding (OLE) technology. All Office suite versions, including Office 2016, are currently vulnerable to this exploit.
Microsoft is hoping to fix this issue with a patch that will be distributed later today with their regular Patch Tuesday rollout.