​Watch your attachments: Microsoft Office bug lets hackers take over computers

AFP Photo/Sam Yeh
A dangerous new security vulnerability has been discovered in Microsoft’s Office software, threatening to hijack users of virtually every existing version of Windows.

The bug in question affects programs like Word, PowerPoint, and Excel – and could allow an intruder to gain access to and control over a user’s entire computer.

Already, Microsoft has discovered that hackers are using the bug to hack computers through PowerPoint. Windows users should be wary of opening PowerPoint files sent via email unless they completely trust the original source, the company wrote in an online security advisory. Even in cases involving trusted sources, it has advised to not open the files received unexpectedly.

“Microsoft is aware of a vulnerability affecting all supported releases of Microsoft Windows, excluding Windows Server 2003,” their online statement reads. “The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.”

While PowerPoint is the only known program affected so far, it is still possible that Word and Excel documents are vulnerable.

As for what this bug could enable hackers to do, the answer is pretty much everything:

“If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system,” Microsoft wrote. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The Redmond-based giant added that it is currently looking into the situation. Until that investigation is over, it is offering a temporary patch which can be downloaded off its advisory page.

“Currently, Microsoft has not indicated whether a patch to solve this issue will be sent outside of the regular Patch Tuesday cycle,” Jonathan Leopando from security firm TrendMicro told the Daily Mail.

“Until more definitive information becomes available, we advise users to be careful about opening Office documents that they have been sent, particularly if they come from parties that have not sent you documents beforehand.”

It is important to note that while Microsoft says nearly all “supported releases” of Windows are vulnerable – Windows Vista, Windows Server 2008, Windows 7, Windows 8, Windows Server 2012, and Windows RT – chances are that the popular Windows XP is also at risk. Microsoft stopped supporting that operating system earlier this year, meaning a new security patch will not fix this bug for XP users.

Back in April, another security flaw left Internet Explorer – which makes up roughly 56 percent of all browsers around the world – ripe for a cyber-intrusion. Similarly, successful hackers were said to be able to install programs, change or delete data, or create new accounts in a user’s name with all the applicable rights.