Microsoft has reportedly announced a patch for a flaw in Microsoft Word that allowed hackers to gain access to a victim’s machine.
Microsoft will fix the bug, which surfaced last weekend, as part of today’s Patch Tuesday.
A Microsoft spokesman said: “We plan to address this through an update on Tuesday April 11, and customers who have updates enabled will be protected automatically.”
The spokesman added: “Meanwhile we encourage customers to practise safe computing habits online, including exercising caution before opening unknown files and not downloading content from untrusted sources to avoid this type of issue.”
Security researchers at FireEye and McAfee discovered the zero-day bug, finding that it enabled hackers to execute a Visual Basic script when the user opens a malicious document sent to them containing an embedded exploit.
Finding various malicious Office documents which exploited the vulnerability, the researchers found the exploit downloads and executes malware payloads from various well known malware families.
The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file, McAfee wrote in a blog post. As .hta is executable, the attacker can access the victim’s machine as they gain full code execution.