This zero-day Windows flaw opens a backdoor to hackers via Microsoft Word. Here's how to fix it

Getty Images/iStockphoto

Microsoft has detailed a workaround for admins to protect their networks from a zero-day flaw in a Windows tool that hackers have been exploiting via malicious Word documents. 

Over the weekend, security researchers discovered a malicious Word document that was uploaded to Google-owned VirusTotal on 25 May from an IP address in Belarus. 

Security researcher Kevin Beaumont found that the malicious document – or ‘maldoc’ – was allowed to execute code via the legitimate Microsoft Support Diagnostic Tool (msdt.exe) even when macros are disabled. The malicious Word document calls up MSDT in Windows via the ‘ms-msdt’ URL protocol. MSDT launches ‘troubleshooter packs’. 

Office Protected View – a feature that prevents macros from running in documents from the internet – functions as expected. However, malicious code can be executed if the Word document is converted to Rich Text Format (RFT) and then run, according to Beaumont.

SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systems

He described the bug as a “zero-day allowing code execution in Office products”, which disobeys user instructions to disable macros. At the time, Microsoft Defender had no detection for this attack, although that’s since changed.

The Word-RTF macro attack worked on fully

Read More: