Fact or fiction? The truth about the Windows and Office hacks

In the last week, media reports suggested that Office and Windows users were at extreme risk of being hacked. Then the facts started coming in

Fact or fiction? The truth about the Windows and Office hacks

It’s been a crazy week. Last Monday we learned about the Word zero-day vulnerability that uses a booby-trapped Word document attached to an email message to infect Windows PCs. Then, on Friday, came the deluge of Windows exploits collectively identified with their leaker, Shadow Brokers, that appear to originate with the U.S. National Security Agency.

In both cases, many of us believed the sky was falling on Windows: The exploits touch all versions of Windows and all versions of Office. Fortunately, the situation isn’t as bad as was first thought. Here’s what you need to know.

How to protect yourself against the Word zero-day

As I explained last Monday, the Word zero-day takes over your PC when you open an infected Word document attached to an email. The attack takes place from inside Word, so it doesn’t matter which email program or even which version of Windows you're using.

In a twist I’ve never seen before, subsequent research into the exploit revealed it was first used by nation-state attackers but was then incorporated into garden-variety malware. Both Zach Whittaker at ZDnet and Dan Goodin at Ars Technica reported that the exploit was originally used in January to hack Russian targets—but the same code snippet turned up in a Dridex banking malware email campaign from last week. Exploits aimed at the spook set rarely get unleashed on the world at large, but this one did.

In theory, to block the exploit’s path, you have to apply both the appropriate April Office security patch and either the Win7 or Win8.1 April Monthly Rollup, the April Security-only patch, or the Win10 April Cumulative Update. That’s a big problem for a lot of folks because the April patches—210 security patches, 644 in all—are causing all sorts of mayhem.

But be of good cheer. I’m seeing verification from all over the web—including my own AskWoody Lounge—that you can avoid infection by sticking with Word’s Protected View mode (in Word, choose File > Options > Trust Center > Trust Center Settings and select Protected View).

With Protected View enabled, Word doesn’t act on any links that might set off malware from files you retrieve from the internet, such as from email and websites. Instead, you get a button called Enable Editing that lets you fully open the opened Word file. You would do that only for a Word document you trust, because if you click Enable Editing for an infected Word file, some kinds of malware fire automatically. Still, when in Protected View, Word only shows you a "viewer" style image, so you have a chance to review the document in read-only mode before deciding whether it is safe.

Word for Windows Protected View mode IDG

By default, Word’s Protected View opens documents in read-only mode, so malware won’t run. Click the Enable Editing button to edit the file—but only if you're sure it's safe.

I suggest you check out any Word document you get via email before you open it in Word. Email clients like Outlook (on all platforms, including Outlook for Web) and Gmail let you preview common file formats, including Word, so you can assess files’ legitimacy before you take the potentially dangerous step of opening them in Office. Of course, you still want to enable Protected View mode in Word even if you first preview a document in your email client—better to have more protection than less.

You can be even safer by not using Word for Windows to edit a file you suspect may be infected. Instead, edit it in Google Docs, Word Online, Word for iOS or Android, OpenOffice, or Apple Pages.

Shadow Brokers’ Windows exploits were already patched

The NSA-derived Windows hacks that Shadow Brokers hacks released last Friday originally seemed to harbor all sorts of zero-day vulnerabilities across all versions of Windows. As the weekend wore on, we found that wasn’t even close to the truth.

It turns out that Microsoft had already patched Windows, so currently supported versions of Windows are (nearly) immune. In other words, the MS17-010 patch released last month fixes nearly all the exploits in Windows 7 and later. But Windows NT and XP users won’t get any fixes because their Windows versions are no longer supported; if you run NT or XP, you are vulnerable to the NSA hacks Shadow Brokers unveiled. The status of Windows Vista PCs is still open to debate.

Bottom line: If you have last month’s MS17-010 patch installed, you’re fine. According to the KB 4013389 article, that includes any of these KB numbers:

  • 4012598 MS17-010: Description of the security update for Windows SMB Server; March 14, 2017
  • 4012216 March 2017 Security Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2
  • 4012213 March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2
  • 4012217 March 2017 Security Monthly Quality Rollup for Windows Server 2012
  • 4012214 March 2017 Security Only Quality Update for Windows Server 2012
  • 4012215 March 2017 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1
  • 4012212 March 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1
  • 4013429 March 13, 2017—KB4013429 (OS Build 933)
  • 4012606 March 14, 2017—KB4012606 (OS Build 17312)
  • 4013198 March 14, 2017—KB4013198 (OS Build 830)

Microsoft says none of the other three exploits—EnglishmanDentist, EsteemAudit, and ExplodingCan—runs on “supported platforms,” meaning Windows 7 or later and Exchange 2010 or later.

Discussion and conjecture continues on the AskWoody Lounge.

Copyright © 2017 IDG Communications, Inc.

Shop Tech Products at Amazon