Microsoft and US-CERT Issue Office Malware Advice
Microsoft today warned of a somewhat new tactic being used to spread malware via Office files.
This tactic uses the Object Linking and Embedding (OLE) capability of Microsoft Office documents to perpetuate an attack. This method isn't prevalent so far. There has been "a steady decline" in such attacks since its discovery in late May, Microsoft indicated, in its announcement.
The scripts, when executed, typically drop malware, such as "TrojanDownloader:VBS," Microsoft noted.
IT pros can modify the Windows registry to block OLE package activation. They can opt to disable objects from activating, which will block script execution by end users. Microsoft lists the steps to carry that out in this support article, although it references Office 2007.
Microsoft attributed the appearance of these OLE attacks to better Office security precautions against the similar use of macros to conduct such attacks. However, that view isn't the way the United States Computer Emergency Readiness Team (US-CERT) sees it. For US-CERT, there's been a recent "resurgence" of Office macro attacks. It issued a warning to that effect this month.
This resurgence of Office macro attacks is all Microsoft's fault, according to US-CERT. Microsoft has made its Office macro warnings more confusing for end users ever since the release of Office 2010. The user interface changes in the software are to blame, according to analysis by the CERT/CC blog. Attackers are now using social engineering techniques to try to get users to enable macros by clicking on the "Enable Content" button, which is less descriptive than past warnings Microsoft has produced. Enable Content actually turns on macros in Office documents.
"The default behavior of Microsoft Office has usually allowed for inadvertent execution of malicious macros, but recent versions of Microsoft Office make it much easier for the user to make the wrong decision," the CERT/CC blog stated.
US-CERT recommends restricting access to macros in Office, which can be done by making Registry changes. Office 2016 and Office 365 have a simpler option by opting to block macros in "documents that originate from the Internet," as described here. US-CERT recommends blocking macros "without notification" to the end user for the older Office editions.
Microsoft Office for Mac 2016 apparently doesn't have an option for disabling macros, the CERT/CC blog noted.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.