rgb.exe<\/strong> (presumably compressed inside the 1.c CAB file)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/blockquote>\nBeaumont also called attention to this academic paper, which in August 2020 showed how to use MSDT to execute code. That suggests that there was at least one other time the company’s security team failed to grasp the potential for this behavior to be maliciously exploited.<\/p>\n
No, Protected View won’t save you<\/h2>\n
Normally, Word is set up to load content downloaded from the Internet in what’s known as protected view, a mode that disables macros and other potentially harmful functions. For reasons that aren’t clear, Beaumont said, if the document is loaded as a Rich Text Format file, it “runs without even opening the document (via the preview tab in Explorer) let alone Protected View.<\/p>\n
In other words, Huntress researchers wrote, the RTF file can “trigger the invocation of this exploit with just the Preview Pane within Windows Explorer.” In so doing, “this extends the severity of this threat by not just ‘single-click’ to exploit, but potentially with a ‘zero-click’ trigger.”<\/p>\n
Besides the document uploaded to VirusTotal on Friday, researchers uncovered a separate Word file uploaded on April 12 that exploits the same zero-day.<\/p>\n
Given the severity of this unpatched vulnerability, organizations that rely on Microsoft Office should thoroughly investigate how it affects their networks. Disabling the MSDT URL Protocol isn’t likely to create major disruptions in the short run and possibly in the long run. While investigating \u2014 at least until Microsoft releases more details and guidance \u2014 Office users should turn the protocol off entirely and give any documents downloaded over the Internet additional scrutiny.<\/p>\n<\/p><\/div>\n