The October bundle of Office security patches includes one for a bug that’s already known and being used by hackers.
Known as CVE-2017-11826, this is a Word bug which allows a malicious RTF/DOCX combination to access your computer. The attack uploaded all the documents, images etc that it could find to the hackers.
Who is affected?
All versions of Office for Windows are affected. There are patches available for Office 2016, Office 2013, Office 2010 and Office 2007 plus the Office Compatibility Pack. Also related server technologies and the Word viewer.
What to do
You should get the fix automatically as part of regular Office updates. Just force an Office update (the method depends on your version and type of Office deployment) to make sure you’re up to date.
If necessary, go to this page for the full list of download links.
Microsoft’s delayed response
The attack started in August 2017. It was detected by Qihoo 360 Core Security in late September and patched by Microsoft on 10 October as part of their regular Patch Tuesday bundle. That meant customers were vulnerable for over a month before Redmond protected them.
Microsoft’s response is a little tardy given that the vulnerability was being used to attack customers. The company’s ‘details’ of the bug is the usual bland and non-specific phrasing. Only published on 10 October, when the patch was available.
We’re intrigued that the bug severity is only considered ‘Important’ not ‘Critical’ since the attack was both known widely and being exploited by hackers – as admitted by Microsoft itself.