- A major patch for WORD must be installed. This will apply to all version of Microsoft Word. Don’t open any emails with Word attachments unless you can verify this is real
The downloaded file puts a decoy that looks like a document up on the screen, so users thinks they’re looking at a doc. It then stops the Word program to hide a warning that would normally appear because of the link—very clever.
At that point the downloaded HTA program can run whatever it wants “in the context of the local user.” According to McAfee, the exploit works on all versions of Windows, including Windows 10. It works on all versions of Office, including Office 2016.
McAfee has two recommendations:
- Do not open any Office files obtained from untrusted locations.
- According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.