Where’s the macro? Malware authors are now using OLE embedding to deliver malicious files

Microsoft's Malware Protection Center is warning of a rise in attacks using boobytrapped Word documents, with malicious content embedded within using OLE:

...we're seeing OLE-embedded objects and content surrounded by well-formatted text and images to encourage users to enable the object or content, and thus run the malicious code. So far, we’ve seen these files use malicious Visual Basic (VB) and JavaScript (JS) scripts embedded in a document.

Here are the simple rules I follow if I simply have to read a Word document that someone has sent to me:

  1. Don't enable macros. Ever.
  2. Don't fall for any encouragement to click or interact with any content within the document.
  3. Ideally, don't use Word to view the document in the first place. Use a third-party viewer instead which doesn't support daft things like OLE and macros which the vast majority of us never need.

In its blog post, Microsoft explains how to change the Registry key to disable Microsoft Office's support for OLE, ensuring that no embedded packages can be activated regardless of how much users desperately try to click on them.

Wouldn't it have been great if Microsoft had just kept Word as a simple word processor, rather than foisting all this risky functionality onto us in the first place?

Update: As malware expert Vesselin Bontchev points out, Microsoft probably meant Visual Basic Script (VBS) rather than Visual Basic.

Vesselin also recommends businesses running Office harden their defences by following the advice in these articles:

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

No comments yet.

Leave a Reply