It was reported over last weekend that there was a Microsoft Word vulnerability that allowed a type of Word malware (malicious software) to infect a persons PC/Laptop simply by opening the document. Even having macros disabled would not protect the victim.
So what happens?
You get an e-mail from somebody with a Word document attachment (specifically a rich text format or RTF type document, but it has a .DOC file extension). If you open this file, there is something embedded in the it which causes Word to send a request to a remote server, which downloads some nasty program code to your machine. It then pops up a fake document for you to see, so you think nothing suspicious is going on. Meanwhile in the background the malware continues doing whatever evil work it’s creators have decided it should do to you. Quite likely it will execute Ransomware which will scramble all your files and charge you money to get them back.
If you didn’t follow Commandment 5 and opened the document (just out of curiosity of course ?), then I pray you at least adhered to Commandment 4 and had a good backup of your data which you can recover from.
This vulnerability affects all versions of Word up to and including Word 2016 running on all versions of Windows up to and include Windows 10.
So, it’s really quite simple. Please follow Commandment 5 and do not open attachments or click on links in e-mails from strangers. Also be very wary of e-mails from friends, family or co-workers that are, even slightly, out of the ordinary. Pick up the phone and ask them if they did send you that e-mail.
FireEye, a security company, had been working with Microsoft on this vulnerability, which may or may not be patched in tomorrow’s Patch Tuesday. However McAfee made the vulnerability public last Friday and so the cat is out of the bag. Some might say that it was reckless of McAfee to do this, but they noted that attacks have been occurring since January and if Microsoft were not to patch this bug tomorrow, then that could mean another month without a solution. So I’m inclined to leave them off with this on that basis.
So at the end of the day, have a read through my Ten Commandments of Cyber Security. If you follow even half of them, you will be a much more secure than following one or none of them.