There’s currently no patch for the bug, which affects most or all versions of Word.

There's a new zeroday attack in the wild that's surreptitiously installing malware on fully-patched computers. It does so by exploiting a vulnerability in most or all versions of Microsoft Word.

The attack starts with an e-mail that attaches a malicious Word document, according to a blog post published Saturday by researchers from security firm FireEye. Once opened, exploit code concealed inside the document connects to an attacker-controlled server. It downloads a malicious HTML application file that's disguised to look like a document created in Microsoft's Rich Text Format. Behind the scenes, the .hta file downloads additional payloads from "different well-known malware families."

The attack is notable for several reasons. First, it bypasses most exploit mitigations: This capability allows it to work even against Windows 10, which security experts widely agree is Microsoft's most secure operating system to date. Second, unlike the vast majority of the Word exploits seen in the wild over the past few years, this new attack doesn't require targets to enable macros. Last, before terminating, the exploit opens a decoy Word document in an attempt to hide any sign of the attack that just happened.

The zeroday attacks were first reported Friday evening by researchers from security firm McAfee. In a blog post, they wrote:

The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file. Because .hta is executable, the attacker gains full code execution on the victim's machine. Thus, this is a logical bug [that] gives the attackers the power to bypass any memory-based mitigations developed by Microsoft. The following is a part of the communications we captured:

The successful exploit closes the bait Word document and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim's system.

The root cause of the zeroday vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office. (Check our Black Hat USA 2015 presentation in which we examine the attack surface of this feature.)

FireEye researchers said they have been communicating with Microsoft about the vulnerability for several weeks and had agreed not to publicly disclose it pending the release of a patch. FireEye later decided to publish Saturday's blog post after McAfee disclosed vulnerability details. McAfee, meanwhile, said the earliest attack its researchers are aware of dates back to January. Microsoft's next scheduled release of security updates is this Tuesday.

Zeroday attacks are typically served only on select individuals, such as those who work for a government contractor, a government agency, or a similar organization that's attractive to nation-sponsored hackers. Still, it's not uncommon for such attacks to be visited on larger populations once the underlying zeroday vulnerability becomes public knowledge.

People should be highly suspicious of any Word document that arrives in an e-mail, even if the sender is well known. The attacks observed by McAfee are unable to work when a booby-trapped document is viewed in an Office feature known as Protected View. Those who choose to open an attached Word document should exercise extreme caution before disabling Protected View. There's no word yet if use of Microsoft's Enhanced Mitigation Experience Toolkit prevents the exploit from working.



Apple fixed hundreds of bugs, 223 to be exact, across a slate of products including macOS Sierra, iOS, Safari, watchOS, and tvOS on Monday.

More than a quarter of the bugs, 40 in macOS Sierra, and 30 in iOS, could lead to arbitrary code execution – in some instances with root privileges, Apple warned.

The lion’s share of the vulnerabilities patched Monday, 127 in total, were fixed in the latest version of macOS Sierra, 10.12.4.

Ian Beer, a researcher with Google’s Project Zero group, uncovered seven of the vulnerabilities, including six that could have enabled an application to execute arbitrary code with kernel privileges. South Korean hacker Jung Hoon Lee, perhaps better known in hacking circles by his handle Lokihardt, is credited for finding two vulnerabilities as well – one in the kernel and one in WebKit. Lokihardt, a veteran of Pwn2Own competitions, joined Project Zero in December 2016.

The update also fixed a memory corruption issue that stemmed from how certificates were parsed. The bug, technically a use-after-free vulnerability, existed in the X.509 certificate validation functionality present in macOS and iOS. According to Aleksandar Nikolic, a researcher with Cisco’s Talos Security Intelligence and Research Group who found the bug, an attacker with a specially crafted X.509 certificate could have triggered it and carried out remote code execution. Nikolic claims a victim could either be tricked several ways – a user could get served a malicious cert via a website, by the Mail app connecting to a mail server that contains a malicious cert, or by opening a malicious cert to import into the keychain.

Talos claims it verified the most recent versions of macOS Sierra, 10.12.3, and iOS, 10.2.1, are vulnerable. Older versions of the operating systems are likely affected too, the firm claims.

Per usual, a large chunk of vulnerabilities in the OS were addressed by updating open source software implementations that macOS uses to the next version. Forty-one different bugs were fixed by updating tcpdump, a free packet analyzer, to version 4.9.0. 11 vulnerabilities were fixed by updating LibreSSL and PHP to versions 2.4.25 and 5.6.30 respectively. Four vulnerabilities were addressed by updating OpenSSH in macOS to version 7.4.



Combined with policy body cameras, it could redefine the nature of public spaces.

Police body cameras are widely seen as a way to improve law enforcement’s transparency with the public. But when mixed with police use of facial-recognition tools, the prospect of continual surveillance comes with big risks to privacy.

Facial-recognition technology combined with policy body cameras could “redefine the nature of public spaces,” Alvaro Bedoya, executive director of the Georgetown Law Center on Privacy & Technology, told the House oversight committee at a hearing March 22. It’s not a distant reality and it threatens civil liberties, he warned.

Technologists already have tools, and are developing more, that allow police to recognize people in real time. Of 38 manufacturers who make 66 different products, at least nine already have facial recognition technology capabilities or have made accommodations to build it in, according to a 2016 Johns Hopkins University report, created for the Justice Department, on the body-worn camera market.

Rather than looking back retrospectively at footage, cops with cameras and this technology can scan people as they pass and assess who they are, where they’ve been, and whether they are wanted for anything from murder to a traffic ticket, with the aid of algorithms. This, say legal experts, puts everyone—even law-abiding citizens—under perpetual surveillance and suspicion.

2016 report from the Georgetown Law Center on Privacy & Technology notes the free speech and privacy concerns this raises, and warns that citizens will become unwitting participants in an unending police procedure. From the report:

There is a knock on your door. It’s the police. There was a robbery in your neighborhood. They have a suspect in custody and an eyewitness. But they need your help: Will you come down to the station to stand in the line-up? Most people would probably answer “no.”

The researchers note that 16 states already let the FBI use face-recognition technology to compare suspected criminals to their driver’s license or other ID photos, creating an algorithmically determined virtual lineup of residents. And state and local police departments are building their own face recognition systems, too.

“Face recognition is a powerful technology that requires strict oversight. But those controls by and large don’t exist today,” said Clare Garvie, one of the report’s authors. “With only a few exceptions, there are no laws governing police use of the technology, no standards ensuring its accuracy, and no systems checking for bias. It’s a wild west.”

The interest in this technology extends internationally. NTechLab, which is located in Cyprus and in Russia, and which claims to make the world’s most accurate facial-recognition technology, has pilot projects in 20 countries, including the U.S., China and Turkey. The company says it uses machine learning to “build software that makes the world a safer and more comfortable place.”



The House of Representatives voted to reverse regulations that would have stopped internet service providers from selling your web-browsing data without your explicit consent. It’s a disappointing setback for anyone who doesn’t want big telecoms profiting off of their personal data. So what to do? Try a Virtual Private Network. It won’t fix all your privacy problems, but a VPN’s a decent start.

In case you’re not familiar, a VPN is a private, controlled network that connects you to the internet at large. Your connection with your VPN’s server is encrypted, and if you browse the wider internet through this smaller, secure network, it’s difficult for anyone to eavesdrop on what you’re doing from the outside. VPNs also take your ISP out of the loop on your browsing habits, because they just see endless logs of you connecting to the VPN server.

There are more aggressive ways of hiding your browsing and more effective ways of achieving anonymity. The most obvious option is to use the Tor anonymous browser. But attempting to use Tor for all browsing and communication is difficult and complicated. It’s not impossible, but it’s probably not the easy, broad solution you’re looking for day to day to protect against an ISP’s prying eyes.

Trust Factors

VPNs can shield you from your big bad cable company, but they are also in a position to potentially do all the same things you were worried about in the first place—they can access and track all of your activities and movements online. So for a VPN to be any more private than an ISP, the company that offers the VPN needs to be trustworthy. That’s a very tricky thing to confirm.