Security researchers from McAfee warn that the CVE-2012-0158 vulnerability that exists in Microsoft Office and other products that use MSCOMCTL.OCX is currently being exploited in the wild with the aid of maliciously-crafted RTF, Word and Excel files.
The security hole has been patched with the April 2012 updates, but there are a lot of users who failed to apply them, giving cybercriminals the opportunity to launch malicious operations.
Experts found that the specially designed files come with a vulnerable OLE object embedded, usually being served to users via unsolicited emails.
So, how does the infection work?
When the malevolent file is opened, the victim sees a regular document that’s presented as bait, but in the background, the magic happens and a nasty Trojan is installed.
It all starts when the Word process opens the crafted document. The CVE-2012-0158 flaw is exploited and the shellcode in the OLE file is triggered. This shellcode is responsible for installing the Trojan in the operating system’s Temp folder.
At this stage, the same shellcode starts a new Word process and opens the bait document, which is also dropped in the same Temp directory. The first process is terminated and the victim is presented only with the legitimate-looking document.
Because in the first step the malicious element is executed and only then the genuine file is run, users whose computers are targeted may see that Word opens, quits, and then, almost immediately, re-launches to display the bait.
To protect themselves against this threat, Internet users are advised to apply the latest updates offered by Microsoft.
Also, internauts should beware of suspicious emails that may arrive in their inboxes. That’s because most infections can be avoided if the messages that carry them are simply ignored and deleted.