A high priority alert was issued by the Australian Cybersecurity Centre (ACSC) at 3.30pm this afternoon, 8 September.
A vulnerability in Microsoft Office documents and Internet Explorer has been identified which permits attackers to load hostile code inside MS Office email attachments. This vulnerability is in active use by cyber criminals and would be very attractive to groups which specialise in attacking law firms.
There is no patch available that will solve the problem for the moment, so the most practical response is a combination of reminders for network users and turning certain features off.
(1) Warn staff to be extra vigilant before opening MS Office documents in email attachments. Apply the usual due diligence:
- Is the email from a known source?
- Does the email address match the purported sender?
- Does it contain the content you expected it to?
- Unless you have inspected the document fully, do not open the document in ‘edit’ mode. (by default, attachments are opened in ‘protected view’ mode, which blocks this attack.)
- Do not ignore any security warning, particularly ‘Suspicious Cpl File Execution’.
- If in doubt, ask your IT provider to check an attachment before it is opened.
(2) the vulnerability works in conjunction with Internet Explorer, so remove IE from your devices for the time being.
(3) Turn off Active X controls in Internet Explorer. For instructions see here. (Microsoft has suggested a more sophisticated way of doing this which preserves functionality if your organisation needs Active X).
(4) Ensure anti-virus/anti-malware is running and up to date on all machines.