China-linked hackers are exploiting a new vulnerability in Microsoft Office

Photo by Amelia Holowaty Krales / The Verge

According to threat analysis research from security firm Proofpoint, a vulnerability in Microsoft Office is being exploited by Chinese government hackers.

The Central Tibetan Administration, the Tibetan government in exile, and a hacking group have been linked by Proofpoint to a vulnerability in Word. The actor believed to be linked to the Chinese government is known to have targeted the Tibetan exile community.

Chinese hackers have a history of using software security flaws to target Tibetans. A report published by Citizen Lab in February of this year documented extensive targeting of Tibetan political figures with software. A malicious add-on to the Firefox browser was found to be used to spy on Tibetan activists.

On May 27th, a security research group known as Nao Sec took to social media to discuss a sample submitted to the online scanning service VirusTotal about the Microsoft Word vulnerability. The malicious code was flagged as being delivered through Microsoft Word documents, which were used to execute commands through a powerful system administration tool for Windows.

Kevin Beaumont shared more details of the vulnerability in a post on May 29th. The vulnerability allowed a Word document to load files from a remote website and then execute commands from the Microsoft Support Diagnostic Tool, a program that usually collects information about crashes and other problems with Microsoft applications.

There are reports that earlier attempts to notify Microsoft of the same bug were dismissed.

An attacker can install programs, access, modify, or destroy data, and even create new user accounts on a compromised system, according to Microsoft. Microsoft has not issued an official patch for the vulnerability, but they have offered a method for disabling the URL loading feature of the tool.

The vulnerability is large due to the widespread use of Microsoft Office and related products. As of Tuesday, the US Cybersecurity and Infrastructure Security Agency was urging system administrators to implement Microsoft's guidance for mitigated exploitation.