Microsoft has advised users that a new security flaw has been discovered within Microsoft Office that makes it possible for hackers to gain administrative rights to user accounts. The company said the flaw is primarily found in PowerPoint, which has been the target of “limited, targeted attacks.”
The hack hasn’t yet been given a label like headline-makers Heartbleed and Shellshock, but it has been classified as a zero-day attack, defined as a threat that infiltrates a system through a previously unknown vulnerability. In this case that vulnerability is a malicious Object Linking and Embedding object, a proprietary piece of Microsoft technology that makes it possible for PowerPoint users to embed and link to documents within a slideshow.
“User interaction is required to exploit this vulnerability,” Microsoft explained in a security advisory published Tuesday evening. “In an email attack scenario, an attack could exploit the vulnerability by sending a specifically crafted file to the user. For this attack scenario to be successful, the user must be convinced to open the specially crafted file containing the malicious OLE object. … In a Web-based scenario, an attacker would have to host a website that contains a specially crafted Microsoft Office file, such as a PowerPoint file, that is used in an attempt to exploit the vulnerability.”
By gaining control of a user’s administrative rights, a hacker could ultimately install new programs, change or delete existing data, or possibly create entirely new administrative accounts.
Microsoft said in its advisory that it’s investigating the attack and may provide an early security update, depending on how many customers are affected. In the meantime, customers are advised to avoid any suspicious links and emails that specifically target their Microsoft Office information.