McAfee first reported the zero day vulnerability and then FireEye released additional information. Unlike some previous vulnerabilities, you don't have to enable macros for this one to work. The attack starts by opening a malicious Word attachment. The document contains a OLE2link (Object Linking and Embedding), which allows external content to be loaded. The link issues a HTTP request to retrieve a malicious .hta file, which is a HTML application. A script is loaded that closes the original document and shows a bogus one. Although the OLE2link displays a user prompt, the winword.exe process terminates it so the user doesn't see it.
The good news is that a fix is scheduled to be released today. The other positive is that, by default, the file attachment will open in Protected View and warn users. System administrators can configure Protected View so that users can't disable it. Better yet, don't open any Word attachments from a Windows system.
E-mail: email@example.com Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology