Researchers have discovered a security vulnerability that exposes Microsoft Office users to malware.
The bug, which is yet to be fixed, affects all versions of Microsoft’s productivity suite, including Office 2016 for Windows 10.
The vulnerability was first revealed by McAfee researchers, though security experts at FireEye say they’ve been aware of it for several weeks and didn’t want to publicly disclose any details before Microsoft had managed to address the issue.
“The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object,” FireEye explains in a blog post.
“When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake [Rich Text Format] file. The Microsoft [HTML Application] loads and executes the malicious script.”
The bug relates to Microsoft Office’s Object Linking and Embedding (OLE) feature, and McAfee says the earliest such attack it has managed to detect took place in late January.
Microsoft is expected to fix the issue this week with the release of its next Patch Tuesday security update.
It's also preparing the introduction of the Windows 10 Creators Update, though users have the option to download the update before its official release.
For the time being, McAfee has warned Microsoft Office users against opening files from "untrusted" sources.
It also says the attack can’t bypass the Protected View in Office applications, so users should enable this while the bug can still be exploited.