Macros in Microsoft Word documents have been used for malware delivery for a long time. Any document that asks you to “Enable Content” should raise a big red flag. However, a newly disclosed vulnerability in Word allows the download and execution of arbitrary malware even when macros are not enabled. Microsoft has no plans to correct this, so we recommend extreme caution in opening any email attachments which are Word documents, and to exit the document at once if you see a prompt that says “This document may contain links that refer to other files…”

This attack uses Microsoft’s Dynamic Data Exchange (DDE) which allows one document to access data from another document, even if it belongs to different application. For example, you can create a report in Word that uses numbers from an Excel spreadsheet via DDE. Then if you update the Excel document, the next time you open the Word document it pulls the latest numbers from the spreadsheet. This is really useful for some business applications. However, it seems that Microsoft made DDE a bit too general purpose. You can use a field in a Word document to launch the Windows command line interpreter cme.exe, have that launch the scripting tool powershell, and then have powershell download and execute malware from any URL on the Internet. The contents of the field would look like this:



When you open a Word document containing a field like this, you will receive two warnings, the first one asking you if you want to update links to the other document, and a second one asking if you want to run cmd.exe. However, according to researchers who discovered this vulnerability, the second message can be suppressed with the correct syntax.

We do not recommend opening unsolicited email attachments, even if they appear to come from a trusted source, as spear phishing attacks can be very effective at imitating trusted sources. If you do open a Word or other Office document and see any sort of alert message asking for additional permissions of any sort, it is highly probable that this is a malicious attack. Refuse the permissions, close the document, and delete it from you hard disk. Note that new attacks of this sort will not be detected by anti-virus software immediately, so always be on your guard.